From gianluca.varenni at cacetech.com Wed Jul 1 09:39:10 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Wed, 1 Jul 2009 09:39:10 -0700 Subject: [Winpcap-users] Registering an Ethernet device as an interface? References: Message-ID: <10A3163753A549599C29CB0F6321421D@NELSON3> I'm not exactly sure what you are trying to achieve. Correct me if I'm wrong. You have some sort of wireless device and you communicate with it thru ethernet. Now you want to expose the same wireless device as a normal network device under windows. Right? What is the link type that this "normal network device under windows" should expose? ethernet? 802.11? Have a nice day GV ----- Original Message ----- From: "George Nychis" To: Sent: Tuesday, June 30, 2009 10:07 PM Subject: [Winpcap-users] Registering an Ethernet device as an interface? > Hi all, > > I have used winpcap to interface to a wireless device I have that uses > Ethernet as it's interface. I was wondering if anyone has had > experience migrating a winpcap interface in to the windows networking > stack to be used with TCP/IP. I've seen guides for USB devices, but > nothing using Ethernet. I'd greatly appreciate any feedback! > > Thanks! > George > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users From boaz.brickner at gmail.com Thu Jul 2 21:55:16 2009 From: boaz.brickner at gmail.com (Boaz Brickner) Date: Fri, 3 Jul 2009 07:55:16 +0300 Subject: [Winpcap-users] Problem gathering bytes statistics on Ethernet devices Message-ID: <3cfb70d30907022155j625bbc5bjdf67c81c56cd1184@mail.gmail.com> Hi, I'm using Windows XP Professional SP3 with Atheros AR8121/AR8113 PCI-E Ethernet Controller. I'm following the statistics part of the tutorial: http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__tut9.html I'm sniffing the packets I'm sending and I'm sending a batch of Ethernet packets to my Ethernet device. If I send N packets with size 60 or greater, I'm receiving all the N packets using the statistics mode. However, when I look at the "AcceptedBytes" field according to the winpcap tutorial, I'm receiving exactly 12 bytes more per packet sent. Example: If I send 10 packets of 60 bytes, I receive in the statistics mode 10 packets and 720 bytes (instead of 600). Example: If I send 100 packets of 500 bytes, I receive in the statistics mode 100 packets and 51,200 bytes (instead of 50,000). My guess is that it has something to do with the Ethernet Preamble / Start-of-Frame-Delimiter / Interframe gap fields of the Ethernet protocol since these fields are not part of the sniffed (or sent) packet. I'm not sure exactly why these 12 bytes are added to the statistics and would like to know for statistics analysis. By the way, if I send packets with less than 60 bytes. The difference I receive per packet is 12 bytes + the number of bytes complementing to 60 bytes. This is obvious since the minimum Ethernet packet size is 60 bytes. Example: If I send 100 packets of 25 bytes, I receive in the statistics mode 100 packets and 7,200 bytes (and not 2,500). Thank you, Boaz. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090703/ead3b553/attachment.htm From jdiaz at THOMASGROUP.COM Fri Jul 3 15:17:09 2009 From: jdiaz at THOMASGROUP.COM (Diaz, Jose) Date: Fri, 3 Jul 2009 17:17:09 -0500 Subject: [Winpcap-users] WinPcap and Windows 7 64-bit Message-ID: <83D30DF3A1FAEB42B105067F453316807625B5@DALLASEXCH.THOMASGROUP.COM> I haven't been able to install either WinPcap 4.0.2 or WinPcap 4.1 beta5 on my computer. I have Windows 7 Ultimate RC 64-bit. Is there anything that either I or you can do? Thank you, Jos? D?az | IT Supervisor Thomas Group, Inc. 5221 N. O' Connor Blvd, Suite 500 | Irving, TX 75039 USA direct: 972.401.4452 | business mobile: 214.287.5604 | personal mobile: 972.343.8109 jdiaz at thomasgroup.com | www.thomasgroup.com The information transmitted is Thomas Group, Inc., Proprietary and Intellectual Property. It is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. P Please consider the environment before printing this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090703/cbfcac13/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1117 bytes Desc: image001.gif Url : http://www.winpcap.org/pipermail/winpcap-users/attachments/20090703/cbfcac13/attachment.gif From gianluca.varenni at cacetech.com Mon Jul 6 12:12:47 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Mon, 6 Jul 2009 12:12:47 -0700 Subject: [Winpcap-users] WinPcap and Windows 7 64-bit References: <83D30DF3A1FAEB42B105067F453316807625B5@DALLASEXCH.THOMASGROUP.COM> Message-ID: WinPcap 4.0.2/4.1beta5 do not officially support Win7 yet. In order to install them on Win7, you need to run the installer into Vista compatibility mode: right click on the installer and choose properties. Go to the "compatibility" tab, enable the checkbox "Run this program in compatibility mode for:" and then choose "Windows Vista". Then click "ok" and run the installer executable. I've successfully installed WinPcap 4.1beta5 on a Win7 machine, I've never tried with 4.0.2 but it should work. Have a nice day GV ----- Original Message ----- From: Diaz, Jose To: winpcap-users at winpcap.org Sent: Friday, July 03, 2009 3:17 PM Subject: [Winpcap-users] WinPcap and Windows 7 64-bit I haven't been able to install either WinPcap 4.0.2 or WinPcap 4.1 beta5 on my computer. I have Windows 7 Ultimate RC 64-bit. Is there anything that either I or you can do? Thank you, Jos? D?az | IT Supervisor Thomas Group, Inc. 5221 N. O' Connor Blvd, Suite 500 | Irving, TX 75039 USA direct: 972.401.4452 | business mobile: 214.287.5604 | personal mobile: 972.343.8109 jdiaz at thomasgroup.com | www.thomasgroup.com The information transmitted is Thomas Group, Inc., Proprietary and Intellectual Property. It is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. P Please consider the environment before printing this email. ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090706/66a8af60/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 1117 bytes Desc: not available Url : http://www.winpcap.org/pipermail/winpcap-users/attachments/20090706/66a8af60/attachment.gif From gianluca.varenni at cacetech.com Mon Jul 6 12:14:34 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Mon, 6 Jul 2009 12:14:34 -0700 Subject: [Winpcap-users] Problem gathering bytes statistics on Ethernetdevices References: <3cfb70d30907022155j625bbc5bjdf67c81c56cd1184@mail.gmail.com> Message-ID: <29D02778C6034B459CC4E3D80D7B3203@NELSON3> ----- Original Message ----- From: Boaz Brickner To: winpcap-users at winpcap.org Sent: Thursday, July 02, 2009 9:55 PM Subject: [Winpcap-users] Problem gathering bytes statistics on Ethernetdevices Hi, I'm using Windows XP Professional SP3 with Atheros AR8121/AR8113 PCI-E Ethernet Controller. I'm following the statistics part of the tutorial: http://www.winpcap.org/docs/docs_40_2/html/group__wpcap__tut9.html I'm sniffing the packets I'm sending and I'm sending a batch of Ethernet packets to my Ethernet device. If I send N packets with size 60 or greater, I'm receiving all the N packets using the statistics mode. However, when I look at the "AcceptedBytes" field according to the winpcap tutorial, I'm receiving exactly 12 bytes more per packet sent. What if you capture the packets that you transmit (e.g. with Wireshark) instead of using the statistics mode? Do the packets appear ok in this case? Have a nice day GV Example: If I send 10 packets of 60 bytes, I receive in the statistics mode 10 packets and 720 bytes (instead of 600). Example: If I send 100 packets of 500 bytes, I receive in the statistics mode 100 packets and 51,200 bytes (instead of 50,000). My guess is that it has something to do with the Ethernet Preamble / Start-of-Frame-Delimiter / Interframe gap fields of the Ethernet protocol since these fields are not part of the sniffed (or sent) packet. I'm not sure exactly why these 12 bytes are added to the statistics and would like to know for statistics analysis. By the way, if I send packets with less than 60 bytes. The difference I receive per packet is 12 bytes + the number of bytes complementing to 60 bytes. This is obvious since the minimum Ethernet packet size is 60 bytes. Example: If I send 100 packets of 25 bytes, I receive in the statistics mode 100 packets and 7,200 bytes (and not 2,500). Thank you, Boaz. ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090706/e63e584d/attachment.htm From chong.suhx.park at intel.com Wed Jul 8 11:00:58 2009 From: chong.suhx.park at intel.com (Park, Chong SuhX) Date: Wed, 8 Jul 2009 11:00:58 -0700 Subject: [Winpcap-users] Soap Message Filter How? Message-ID: <68887236814FB54BBC1D0E0556DD510D4CCB1B1234@orsmsx509.amr.corp.intel.com> I am trying to build a window application ( using visual studio 2008) to collect (extract) soap/xml message from pcap file. I read WinPcap document and followed many function calls but didn't find a filter or example that does allow me to extract soap messages from .pcap file using wpcap.lib Can anyone give me an advice on how I can achieve this kind of thing? Thank you in advance! - John -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090708/2a1c1741/attachment.htm From dchang at fsautomation.com Wed Jul 8 17:26:51 2009 From: dchang at fsautomation.com (David Chang) Date: Wed, 08 Jul 2009 17:26:51 -0700 Subject: [Winpcap-users] Soap Message Filter How? In-Reply-To: <68887236814FB54BBC1D0E0556DD510D4CCB1B1234@orsmsx509.amr.corp.intel.com> References: <68887236814FB54BBC1D0E0556DD510D4CCB1B1234@orsmsx509.amr.corp.intel.com> Message-ID: <4A55394B.7010509@fsautomation.com> John, There's a bunch of steps that you need to go through to extract soap messages. Do you need help conceptually with how to do that? Or, do you have a specific question about how to read a .pcap file (with all the raw packet info in it)? If it's a specific question about how to read a .pcap file, I can send you some code for that. There's no magic filter that you can specify to get only soap/xml packet from a .pcap file. You have to read each raw packet and decode the TCP header and figure out which host IP address and port (80 for http) this packet is from/to. Then you have to get the payload out and check the application header to see if this is a soap/xml packet. Lastly, you may have to re-sequence the packets (packet order) using the TCP seqnum and concatenate packets (one soap message may require multiple packets). You can filter based on host, protocol, and port number (host 192.168.1.1 tcp port 80) to limit the raw packet stream. DC Park, Chong SuhX wrote: > > I am trying to build a window application ( using visual studio 2008) > to collect (extract) soap/xml message from pcap file. I read WinPcap > document and followed many function calls but didn?t find a filter or > example that does allow me to extract soap messages from .pcap file > using wpcap.lib > > Can anyone give me an advice on how I can achieve this kind of thing? > > Thank you in advance! > > - John > > ------------------------------------------------------------------------ > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > From timgrab at comcast.net Thu Jul 9 08:38:58 2009 From: timgrab at comcast.net (timgrab at comcast.net) Date: Thu, 9 Jul 2009 15:38:58 +0000 (UTC) Subject: [Winpcap-users] problem between WpdPack sample exe's and MFC port Message-ID: <963249847.1964051247153938420.JavaMail.root@sz0089a.westchester.pa.mail.comcast.net> Hi folks, I have been writing an application using MFC in Visual Studio 2005. The application uses WinPcap to open a pcap file and modify the protocol headers so that the packets can be streamed locally on a test network and received by other applications/devices. I have been borrowing heavily from the sample code in the WinPcap 4.0.2 Developer?s Pack, and successfully porting that basic functionality from C to MFC/C++. For example, my GUI currently allows the user to open a pcap file, change the MAC addresses in the packets, and save the packets to a new file. I ran into a problem recently. I have been creating pcap files by exporting proprietary files from a 3 rd party application into pcap format. However, it appears that the 3 rd -party app, let?s call it ?MrSniffer?, changes the caplen in the packet header to 116 bytes, no matter what it was in the original (MrSniffer-formatted) file, or what the actual length of the packet is. I am able to use Wireshark to successfully read and display all packets in their entirety from the newly-exported pcap file. Also, I am able to use the command-line executable ?readfile? from the 4.0.2 Developer?s Pack to read and display each packet from the MrSniffer-exported pcap file in its entirety. It?s when I try to read the file into my MFC application that I run into a problem. I use the same basic code in the ?readfile? executable for my MFC application to open the file and read the packets, i.e. I am using pcap_open_offline() to open the file, and pcap_loop() to call a dispatcher_handler with the following parameters? dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const u_char *pkt_data) ?which reads in each packet. The trouble arises when the packets are read into my application, and it appears that the pcap library functions I am using are reading the packets based on the caplen of 116 bytes ? so any packets larger than 116 bytes are truncated, and I lose the rest of that data! What is so strange about this is that I am using the same library as the Developer?s Pack sample ?readfile?, and essentially the same code, but my application seems to read the caplen, while ?readfile? uses the actual packet length. Unfortunately, I can?t change ?MrSniffer? so that it does not modify the caplen; my only option appears to be to read the actual packet length from each packet when dealing with these exported pcaps. I have not been able to find a way to do this using the exported functions ? probably because I am quite new to WinPcap. If anyone has any suggestions, I?d greatly appreciate it! Thanks and Regards ? TimG -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090709/e92cc8bd/attachment.htm From gianluca.varenni at cacetech.com Mon Jul 13 09:56:32 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Mon, 13 Jul 2009 09:56:32 -0700 Subject: [Winpcap-users] problem between WpdPack sample exe's and MFC port References: <963249847.1964051247153938420.JavaMail.root@sz0089a.westchester.pa.mail.comcast.net> Message-ID: Can you send a very small trace file so that we can have a look at it? Have a nice day GV ----- Original Message ----- From: timgrab at comcast.net To: winpcap-users at winpcap.org Sent: Thursday, July 09, 2009 8:38 AM Subject: [Winpcap-users] problem between WpdPack sample exe's and MFC port Hi folks, I have been writing an application using MFC in Visual Studio 2005. The application uses WinPcap to open a pcap file and modify the protocol headers so that the packets can be streamed locally on a test network and received by other applications/devices. I have been borrowing heavily from the sample code in the WinPcap 4.0.2 Developer?s Pack, and successfully porting that basic functionality from C to MFC/C++. For example, my GUI currently allows the user to open a pcap file, change the MAC addresses in the packets, and save the packets to a new file. I ran into a problem recently. I have been creating pcap files by exporting proprietary files from a 3rd party application into pcap format. However, it appears that the 3rd-party app, let?s call it ?MrSniffer?, changes the caplen in the packet header to 116 bytes, no matter what it was in the original (MrSniffer-formatted) file, or what the actual length of the packet is. I am able to use Wireshark to successfully read and display all packets in their entirety from the newly-exported pcap file. Also, I am able to use the command-line executable ?readfile? from the 4.0.2 Developer?s Pack to read and display each packet from the MrSniffer-exported pcap file in its entirety. It?s when I try to read the file into my MFC application that I run into a problem. I use the same basic code in the ?readfile? executable for my MFC application to open the file and read the packets, i.e. I am using pcap_open_offline() to open the file, and pcap_loop() to call a dispatcher_handler with the following parameters? dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const u_char *pkt_data) ?which reads in each packet. The trouble arises when the packets are read into my application, and it appears that the pcap library functions I am using are reading the packets based on the caplen of 116 bytes ? so any packets larger than 116 bytes are truncated, and I lose the rest of that data! What is so strange about this is that I am using the same library as the Developer?s Pack sample ?readfile?, and essentially the same code, but my application seems to read the caplen, while ?readfile? uses the actual packet length. Unfortunately, I can?t change ?MrSniffer? so that it does not modify the caplen; my only option appears to be to read the actual packet length from each packet when dealing with these exported pcaps. I have not been able to find a way to do this using the exported functions ? probably because I am quite new to WinPcap. If anyone has any suggestions, I?d greatly appreciate it! Thanks and Regards ? TimG ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090713/b5c080fb/attachment.htm From yalogr at 163.com Tue Jul 14 01:59:55 2009 From: yalogr at 163.com (yalogr) Date: Tue, 14 Jul 2009 16:59:55 +0800 (CST) Subject: [Winpcap-users] hello,i ask about,pcap-open-live() Message-ID: <4711282.842971247561995844.JavaMail.coremail@app155.163.com> i have pcap_setfilter(arp)---i just wang to recv arp packets.now... pcap_loop(adhandle,1,dispatcher_handler,NULL);if i can say:after recv 1 arp-packet,then return pcap_loop. or ip,icmp-packets... <2 question.> i want to find alive-computers.but i send 255 arp-request,but it has to take long time to get all arp-replys. how should i set pcap_loop(,count??,),and pcap_open_live(,,time??). count and time have any relation???? thank you. i am waiting for your reply. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090714/f1750cd9/attachment.htm From prasannakumar.n at imimobile.com Tue Jul 14 03:27:55 2009 From: prasannakumar.n at imimobile.com (Prasanna Kumar Nelam) Date: Tue, 14 Jul 2009 15:57:55 +0530 Subject: [Winpcap-users] sleep in pcap_next_ex api Message-ID: Dear All, I am using pcap_next_ex() API to read the packets from Network. In my application I implemented 2 threads one for reading the packets from network, and other for process these packets. I am giving the code snippet, can u please suggest me whether it is correct or not. while(true) { while((res=pcap_next_ex(pcap.m_padhandle,&header,&pkt_data))>0) { //////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////// The lines below are used to copy the captured pkt into our local buffer packet_capture *packet=new packet_capture(); packet->header=(pcap_pkthdr*)malloc(sizeof(pcap_pkthdr)+1);//header; memset((void*)packet->header,0,(sizeof(pcap_pkthdr)+1)); memcpy(packet->header,header,sizeof(pcap_pkthdr)); packet->pkt_data=(unsigned char*)malloc((int)header->caplen+1); memset((void*)packet->pkt_data,0,(int)header->caplen+1); memcpy((void*)packet->pkt_data,(void*)pkt_data,(int)header->caplen); //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////// **************************************************************************** ******************************************************** The following lines are used to put the packet into queue, the packets from this C++queue are read by another thread { CAutoLock lock(g_syncpkt); pkt_capture.push(packet); printf("\n the queue size is:%d\n",pkt_capture.size()); } **************************************************************************** *********************************************************** Sleep(1); } if(res==-1) { printf("Error reading the packets: %s\n", pcap_geterr(pcap.m_padhandle)); FILE *fp; fp=fopen("exceptionhandler.log","a"); fprintf(fp,"%s-%s\n","Error reading the packets", pcap_geterr(pcap.m_padhandle)); fclose(fp); } Sleep(1); } My doubt is it correct to write Sleep() at the while((res=pcap_next_ex(pcap.m_padhandle,&header,&pkt_data))>0) loop, by putting the sleep shall we loss any packet. Before intrducing the Sleep() in the code, I am getting delayed processing thread, and I am not able to process the packets immediately after capturing, because of that the virtual memory is increasing. Thanks in Advance for your advice. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000086538 ============================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ============================================================================ ============================================================================ == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090714/97db8f6f/attachment.htm From guy at alum.mit.edu Tue Jul 14 11:52:18 2009 From: guy at alum.mit.edu (Guy Harris) Date: Tue, 14 Jul 2009 11:52:18 -0700 Subject: [Winpcap-users] hello,i ask about,pcap-open-live() In-Reply-To: <4711282.842971247561995844.JavaMail.coremail@app155.163.com> References: <4711282.842971247561995844.JavaMail.coremail@app155.163.com> Message-ID: On Jul 14, 2009, at 1:59 AM, yalogr wrote: > > i have pcap_setfilter(arp)---i just wang to recv arp packets.now... Then you should set up a filter: struct bpf_program arp_filter; ... if (pcap_compile(adhandle, &arp_filter, "arp", 1, 0) == -1) { fprintf(stderr, "Can't compile the program \"arp\": %s\n", pcap_geterr(adhandle); exit(2); } if (pcap_setfilter(adhandle, &arp_filter) == -1) { fprintf(stderr, "Can't set the filter: %s\n", pcap_geterr(adhandle); exit(2); } and *then* call pcap_loop(); your dispatch_handler routine should only see ARP packets. > or ip,icmp-packets... Use a different filter, such as "ip" for IPv4, "icmp" for ICMP, etc.. From swzhao at gmail.com Tue Jul 14 17:21:19 2009 From: swzhao at gmail.com (Joshua (Shiwei) Zhao) Date: Tue, 14 Jul 2009 17:21:19 -0700 Subject: [Winpcap-users] related to a capture device Message-ID: I'm using Wireshark as sniffer where it opens capture devices via winpcap. I want to edit the window registry related to the capture device opened by winpcap. To get the registry path of a capture device, we need to know its SubDriverKey which could be specified somewhere in windows registry. Right now in Wireshark we only have the name, description, and ip_address of an opened device. Were they retrieved from registry table by winpcap? Is there a way to get their corresponding driver key? In addition, I hope to be able to disable/enable the capture device programmingly. Does winpcap offer this kind of functionality? Many thanks, Joshua -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090714/5a59cd20/attachment.htm From peter.lee.cpp at gmail.com Tue Jul 14 20:36:53 2009 From: peter.lee.cpp at gmail.com (Peter Lee) Date: Wed, 15 Jul 2009 13:36:53 +1000 Subject: [Winpcap-users] related to a capture device In-Reply-To: References: Message-ID: Hello Joshua, "I hope to be able to disable/enable the capture device programmingly. Does winpcap offer this kind of functionality?" Yes, dig deeper Good luck On Wed, Jul 15, 2009 at 10:21 AM, Joshua (Shiwei) Zhao wrote: > I'm using Wireshark as sniffer where it opens capture devices via winpcap.?I > want to edit?the window?registry related to?the capture device opened by > winpcap. > To get the registry path of a capture device, we need to know its > SubDriverKey which could be specified somewhere in windows registry. > Right now in Wireshark we only have the?name, description, and ip_address of > an opened device. Were they retrieved from registry table by winpcap? Is > there a way to get their corresponding driver key? > > In addition, I?hope to be able to disable/enable?the capture device > programmingly. Does winpcap offer this kind of functionality? > > Many thanks, > Joshua > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > From peter.lee.cpp at gmail.com Tue Jul 14 20:46:07 2009 From: peter.lee.cpp at gmail.com (Peter Lee) Date: Wed, 15 Jul 2009 13:46:07 +1000 Subject: [Winpcap-users] sleep in pcap_next_ex api In-Reply-To: References: Message-ID: Hi Prasanna Kumar Nelam, Following links might be helpful: http://www.winpcap.org/pipermail/winpcap-users/2006-September/001464.html http://www.winpcap.org/pipermail/winpcap-users/2007-May/001858.html Good luck Peter On Tue, Jul 14, 2009 at 8:27 PM, Prasanna Kumar Nelam wrote: > Dear All, > > > > I am using pcap_next_ex() API to read the packets from Network. In my > application I implemented 2 threads one for reading the packets from > network, and other for process these packets. > > I am giving the code snippet, can u please suggest me whether it is correct > or not. > > > > while(true) > > { > > while((res=pcap_next_ex(pcap.m_padhandle,&header,&pkt_data))>0) > > ??????????? { > > > /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// > > The lines below are used to copy the captured pkt into our local buffer > > > > packet_capture *packet=new packet_capture(); > > > packet->header=(pcap_pkthdr*)malloc(sizeof(pcap_pkthdr)+1);//header; > > > memset((void*)packet->header,0,(sizeof(pcap_pkthdr)+1)); > > ??????????????????????? memcpy(packet->header,header,sizeof(pcap_pkthdr)); > > ??????????????????????? packet->pkt_data=(unsigned > char*)malloc((int)header->caplen+1); > > > memset((void*)packet->pkt_data,0,(int)header->caplen+1); > > > memcpy((void*)packet->pkt_data,(void*)pkt_data,(int)header->caplen); > > > /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// > > > ************************************************************************************************************************************ > > ??????????????????????? The following lines are used to put the packet into > queue, the packets from this C++queue are read by another thread > > ?{ > > ??????????????????????????????????? CAutoLock lock(g_syncpkt); > > ??????????????????????????????????? pkt_capture.push(packet); > > ??????????????????????????????????? printf("\n the queue size > is:%d\n",pkt_capture.size()); > > ??????????????????????? } > > > *************************************************************************************************************************************** > > ??????????????????????? Sleep(1); > > ??????????? } > > ??????????? if(res==-1) > > ??????????? { > > ??????????????????????? printf("Error reading the packets: %s\n", > pcap_geterr(pcap.m_padhandle)); > > ??????????????????????? FILE *fp; > > ??????????????????????? fp=fopen("exceptionhandler.log","a"); > > ??????????????????????? fprintf(fp,"%s-%s\n","Error reading the packets", > pcap_geterr(pcap.m_padhandle)); > > ??????????????????????? fclose(fp); > > > > ??????????? } > > ??????????? Sleep(1); > > > > } > > > > My doubt is it correct to write Sleep() at the > while((res=pcap_next_ex(pcap.m_padhandle,&header,&pkt_data))>0) loop, by > putting the sleep shall we loss any packet. > > > > Before intrducing the Sleep() in the code, I am getting delayed processing > thread, and I am not able to process the packets immediately after > capturing, because of that the virtual memory is increasing. > > Thanks in Advance for your advice. > > > > > > > > Thanks and Regds, > > Prasanna Kumar.N, > > Software Engineer, > > R&D Networks, > > Mob:9000086538 > > > > ============================================= > > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > If you have received this email in error, please notify the sender > immediately by e-mail and delete this e-mail from your system.? The sender > therefore does not accept liability for any errors or omissions in the > contents of this message, which arise as a result of e-mail transmission. > Please note that any views or opinions presented in this email are solely > those of the author and do not necessarily represent those of the company. > Finally, the recipient should check this email and any attachments for the > presence of viruses. The company accepts no liability for any damage caused > by any attachment with this email. > > IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, > 500033. www.imimobile.com > ========================================================================================================================================================== > This e-mail message has been scanned for Viruses and Content and cleared by > Symantec Mail Security > > > > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > From peter.lee.cpp at gmail.com Tue Jul 14 20:53:58 2009 From: peter.lee.cpp at gmail.com (Peter Lee) Date: Wed, 15 Jul 2009 13:53:58 +1000 Subject: [Winpcap-users] problem between WpdPack sample exe's and MFC port In-Reply-To: <963249847.1964051247153938420.JavaMail.root@sz0089a.westchester.pa.mail.comcast.net> References: <963249847.1964051247153938420.JavaMail.root@sz0089a.westchester.pa.mail.comcast.net> Message-ID: It is so tiring to read a long post without code example... Can you send a small example. Good luck On Fri, Jul 10, 2009 at 1:38 AM, wrote: > Hi folks, > > > > I have been writing an application using MFC in Visual Studio 2005.? The > application uses WinPcap to open a pcap file and modify the protocol headers > so that the packets can be streamed locally on a test network and received > by other applications/devices. > > > > I have been borrowing heavily from the sample code in the WinPcap 4.0.2 > Developer?s Pack, and successfully porting that basic functionality from C > to MFC/C++.? For example, my GUI currently allows the user to open a pcap > file, change the MAC addresses in the packets, and save the packets to a new > file. > > > > I ran into a problem recently.? I have been creating pcap files by exporting > proprietary files from a 3rd party application into pcap format.? However, > it appears that the 3rd-party app, let?s call it ?MrSniffer?, changes the > caplen in the packet header to 116 bytes, no matter what it was in the > original (MrSniffer-formatted) file, or what the actual length of the packet > is.? I am able to use Wireshark to successfully read and display all packets > in their entirety from the newly-exported pcap file.? Also, I am able to use > the command-line executable ?readfile? from the 4.0.2 Developer?s Pack to > read and display each packet from the MrSniffer-exported pcap file in its > entirety. > > > > It?s when I try to read the file into my MFC application that I run into a > problem.? I use the same basic code in the ?readfile? executable for my MFC > application to open the file and read the packets, i.e. I am using > pcap_open_offline() to open the file, and pcap_loop() to call a > dispatcher_handler with the following parameters? > > > > dispatcher_handler(u_char *temp1, const struct pcap_pkthdr *header, const > u_char *pkt_data) > > > > ?which reads in each packet.? The trouble arises when the packets are read > into my application, and it appears that the pcap library functions I am > using are reading the packets based on the caplen of 116 bytes ? so any > packets larger than 116 bytes are truncated, and I lose the rest of that > data! > > > > What is so strange about this is that I am using the same library as the > Developer?s Pack sample ?readfile?, and essentially the same code, but my > application seems to read the caplen, while ?readfile? uses the actual > packet length. > > > > Unfortunately, I can?t change ?MrSniffer? so that it does not modify the > caplen; my only option appears to be to read the actual packet length from > each packet when dealing with these exported pcaps. ?I have not been able to > find a way to do this using the exported functions ? probably because I am > quite new to WinPcap. > > > > If anyone has any suggestions, I?d greatly appreciate it! > > > > Thanks and Regards ? > > > > TimG > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > From gianluca.varenni at cacetech.com Wed Jul 15 09:04:53 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Wed, 15 Jul 2009 09:04:53 -0700 Subject: [Winpcap-users] related to a capture device References: Message-ID: ----- Original Message ----- From: Joshua (Shiwei) Zhao To: winpcap-users at winpcap.org Sent: Tuesday, July 14, 2009 5:21 PM Subject: [Winpcap-users] related to a capture device I'm using Wireshark as sniffer where it opens capture devices via winpcap. I want to edit the window registry related to the capture device opened by winpcap. To get the registry path of a capture device, we need to know its SubDriverKey which could be specified somewhere in windows registry. Right now in Wireshark we only have the name, description, and ip_address of an opened device. Were they retrieved from registry table by winpcap? The description is retrieved with an OID to the miniport controlling the NIC. The name is generated out of the original GUID of the device prepended with a prefix (prefix that is not documented). IP addresses are retrieved in a combination of ways, including registry and IP helper API. Is there a way to get their corresponding driver key? It might be possible to get the device hardware subkeys out of the GUID of the device, but I never tried myself, and in any case it goes into the undocumented land. What I would do is use the Setup API to enumerate all the network devices until you find the one you are interested in and change the appropriate parameters. In addition, I hope to be able to disable/enable the capture device programmingly. Does winpcap offer this kind of functionality? No. You need to use the Setup API for that. Have a nice day GV Many thanks, Joshua ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090715/31b69029/attachment.htm From yu.wang at jp.fujitsu.com Thu Jul 16 21:58:50 2009 From: yu.wang at jp.fujitsu.com (=?ISO-2022-JP?B?GyRCXWohIXkoGyhC?=) Date: Fri, 17 Jul 2009 13:58:50 +0900 Subject: [Winpcap-users] trouble about CIFS/SMB protocol In-Reply-To: <4A5FFEE7.8060503@jp.fujitsu.com> References: <4A5FFEE7.8060503@jp.fujitsu.com> Message-ID: <4A60050A.9030109@jp.fujitsu.com> Hello, my name is wan. Now,i am developing a packet analysis tool base on winpcap(4.0.1). My main focus is on protocol CIFS/SMB(Server Message Block). We use wireshark or ethereal to see the file access packet from client to operate files on file server. Sometimes we find AccountName(Account Name), NativeOS(OS of client) in the SMB_COM_SESSION_SETUP_ANDX command packet(request) is set to nothing. I just want to know the reason and timing.Any information is welcome. Thanks in advance. From prasannakumar.n at imimobile.com Thu Jul 16 23:39:21 2009 From: prasannakumar.n at imimobile.com (Prasanna Kumar Nelam) Date: Fri, 17 Jul 2009 12:09:21 +0530 Subject: [Winpcap-users] how to check packet missing in wpcap Message-ID: <003E45E98DDE419EAAA8B828A07C7C7E@imidomain.com> Dear All, I am capturing TCP Packets using Winpcap, How can I check whether All packets are captured from the network driver. Is there any system related API to check how may TCP packets came to Network driver upto that time. Thanks in advance. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000086538 ============================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ============================================================================ ============================================================================ == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090717/a6e8d6ee/attachment.htm From gianluca.varenni at cacetech.com Fri Jul 17 10:20:25 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Fri, 17 Jul 2009 10:20:25 -0700 Subject: [Winpcap-users] how to check packet missing in wpcap References: <003E45E98DDE419EAAA8B828A07C7C7E@imidomain.com> Message-ID: <29C804B9872D466AA1D1858FA52962F5@NELSON3> Use pcap_stats to get the number of dropped frames. Have a nice day GV ----- Original Message ----- From: Prasanna Kumar Nelam To: winpcap-users at winpcap.org Sent: Thursday, July 16, 2009 11:39 PM Subject: [Winpcap-users] how to check packet missing in wpcap Dear All, I am capturing TCP Packets using Winpcap, How can I check whether All packets are captured from the network driver. Is there any system related API to check how may TCP packets came to Network driver upto that time. Thanks in advance. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000086538 ============================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ========================================================================================================================================================== This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090717/832b326d/attachment.htm From Ed.Sassone at autonomy.com Tue Jul 14 13:02:19 2009 From: Ed.Sassone at autonomy.com (Sassone, Ed) Date: Tue, 14 Jul 2009 15:02:19 -0500 Subject: [Winpcap-users] pcap_setbuff occasional failure In-Reply-To: References: <3E0D4FE2886743D5BF6FB7B00A3043C6@nelson2>

Message-ID: Attached is a screen shot of the Task Manager on a system with the pcap_setbuff failure. Sorry it is a little small. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ________________________________ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Thursday, June 04, 2009 11:40 AM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Almost for sure it's not a problem with the application. It could be either a bug in the winpcap driver, or a bug in some other driver in the system that causes some memory exhaustion. It's like when a malloc fails in an application. A malloc can fail, usually do to either some memory leak in the application or due to virtual memory exhaustion on the system. Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Thursday, June 04, 2009 9:29 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Thanks. Also can you think of anything in the application that we should do or should not do that might cause this? The error happens very rarely so it is hard to catch. We are using separate pcap_t handles for each thread. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ________________________________ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Wednesday, June 03, 2009 2:36 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure The buffer is on an open-instance basis, not on a NIC basis. So it's perfectly safe to have two threads setting different buffer sizes on the same adapter, *provided* that you are using two different pcap_t handles. Having said that, without a task manager screenshot it's impossible to understand why it failed. The error basically means that a malloc in the kernel driver failed, but it's impossible to know why without more information about the memory load at the time of the failure... Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Monday, June 01, 2009 7:33 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure We finally caught the error. We did not get the Task Manager screen shot. Also you are correct in that serializing the initialization did not help. One thing interesting, we have two threads per NIC card setting different buffer sizes. The first allocation worked and the second did not. The bracketed number is the thread id. 05/29 14:24:54.53 Interface.cpp:93: [00001A54] Set buffer size to 1048576 for interface \Device\NPF_{F4E3EFD7-CAB0-481B-86E3-874358548A34} : Signaling Interface 05/29 14:24:54.53 Interface.cpp:85: [00001174] Could not set buffer size to 5242880 for interface \Device\NPF_{F4E3EFD7-CAB0-481B-86E3-874358548A34}: driver error: not enough memory to allocate the kernel buffer Ed Sassone www.autonomy.com CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ________________________________ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Sassone, Ed Sent: Wednesday, October 08, 2008 3:12 PM To: winpcap-users at winpcap.org Subject: RE: [Winpcap-users] pcap_setbuff occasional failure Essentially a critical section around all the adapter initialization calls so it will only be in one set a time, across all threads and adapters. Unfortunately I didn't have it print the pcap_geterr string. I just put that in. It may be awhile until we catch it in the act. thanks Ed Sassone From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Wednesday, October 08, 2008 2:05 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Serializing pcap_setbuff should not be necessary (serializing against what? multiple calls on the same adapter? on the same pcap_t handle?). Expecially considering that the only solution is a reboot, I would think that there is some sort of leak either in the WinPcap driver or in some other driver in the system. What's the exact error message returned by pcap_setbuff? Also, after the problem occurs and before rebooting, open Task Manager, go to the Performance Tab and send me a screenshot of it, if possible. Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Monday, October 06, 2008 2:15 PM Subject: [Winpcap-users] pcap_setbuff occasional failure Hi Every so often in our application during startup, the pcap_setbuff call will fail. We are unable to re-create the problem but it seems to happen after the application has been stopped and started a number of times. Once the failure occurs it will continue to occur, until a reboot. Our app is multithreaded with two threads starting per interface card, and we can have more than one interface card configured. The buffer size specified can vary but it's usually around 5-10 MB. I have recently put in some changes to serialize the command in case there is a timing issue, as I'm not sure if the call is thread safe. I remember there was thread issue with the filter command. This is on Windows 2003. Any other ideas? thanks Ed Sassone ________________________________ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ________________________________ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ________________________________ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090714/459e2c03/attachment-0001.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: WinPcap task mgr.PNG Type: image/png Size: 43648 bytes Desc: WinPcap task mgr.PNG Url : http://www.winpcap.org/pipermail/winpcap-users/attachments/20090714/459e2c03/attachment-0001.png From gianluca.varenni at cacetech.com Fri Jul 17 17:19:45 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Fri, 17 Jul 2009 17:19:45 -0700 Subject: [Winpcap-users] pcap_setbuff occasional failure References: <3E0D4FE2886743D5BF6FB7B00A3043C6@nelson2>

Message-ID: 32 or 64bit windows? Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Tuesday, July 14, 2009 1:02 PM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Attached is a screen shot of the Task Manager on a system with the pcap_setbuff failure. Sorry it is a little small. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ------------------------------------------------------------------------------ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Thursday, June 04, 2009 11:40 AM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Almost for sure it's not a problem with the application. It could be either a bug in the winpcap driver, or a bug in some other driver in the system that causes some memory exhaustion. It's like when a malloc fails in an application. A malloc can fail, usually do to either some memory leak in the application or due to virtual memory exhaustion on the system. Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Thursday, June 04, 2009 9:29 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Thanks. Also can you think of anything in the application that we should do or should not do that might cause this? The error happens very rarely so it is hard to catch. We are using separate pcap_t handles for each thread. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ---------------------------------------------------------------------------- From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Wednesday, June 03, 2009 2:36 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure The buffer is on an open-instance basis, not on a NIC basis. So it's perfectly safe to have two threads setting different buffer sizes on the same adapter, *provided* that you are using two different pcap_t handles. Having said that, without a task manager screenshot it's impossible to understand why it failed. The error basically means that a malloc in the kernel driver failed, but it's impossible to know why without more information about the memory load at the time of the failure... Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Monday, June 01, 2009 7:33 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure We finally caught the error. We did not get the Task Manager screen shot. Also you are correct in that serializing the initialization did not help. One thing interesting, we have two threads per NIC card setting different buffer sizes. The first allocation worked and the second did not. The bracketed number is the thread id. 05/29 14:24:54.53 Interface.cpp:93: [00001A54] Set buffer size to 1048576 for interface \Device\NPF_{F4E3EFD7-CAB0-481B-86E3-874358548A34} : Signaling Interface 05/29 14:24:54.53 Interface.cpp:85: [00001174] Could not set buffer size to 5242880 for interface \Device\NPF_{F4E3EFD7-CAB0-481B-86E3-874358548A34}: driver error: not enough memory to allocate the kernel buffer Ed Sassone www.autonomy.com CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. -------------------------------------------------------------------------- From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Sassone, Ed Sent: Wednesday, October 08, 2008 3:12 PM To: winpcap-users at winpcap.org Subject: RE: [Winpcap-users] pcap_setbuff occasional failure Essentially a critical section around all the adapter initialization calls so it will only be in one set a time, across all threads and adapters. Unfortunately I didn't have it print the pcap_geterr string. I just put that in. It may be awhile until we catch it in the act. thanks Ed Sassone From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Wednesday, October 08, 2008 2:05 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Serializing pcap_setbuff should not be necessary (serializing against what? multiple calls on the same adapter? on the same pcap_t handle?). Expecially considering that the only solution is a reboot, I would think that there is some sort of leak either in the WinPcap driver or in some other driver in the system. What's the exact error message returned by pcap_setbuff? Also, after the problem occurs and before rebooting, open Task Manager, go to the Performance Tab and send me a screenshot of it, if possible. Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Monday, October 06, 2008 2:15 PM Subject: [Winpcap-users] pcap_setbuff occasional failure Hi Every so often in our application during startup, the pcap_setbuff call will fail. We are unable to re-create the problem but it seems to happen after the application has been stopped and started a number of times. Once the failure occurs it will continue to occur, until a reboot. Our app is multithreaded with two threads starting per interface card, and we can have more than one interface card configured. The buffer size specified can vary but it's usually around 5-10 MB. I have recently put in some changes to serialize the command in case there is a timing issue, as I'm not sure if the call is thread safe. I remember there was thread issue with the filter command. This is on Windows 2003. Any other ideas? thanks Ed Sassone ------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------------------------------------------------------------------- _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ---------------------------------------------------------------------------- _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090717/c9a4653a/attachment-0001.htm From prasannakumar.n at imimobile.com Fri Jul 17 22:55:22 2009 From: prasannakumar.n at imimobile.com (Prasanna Kumar Nelam) Date: Sat, 18 Jul 2009 11:25:22 +0530 Subject: [Winpcap-users] how to check packet missing in wpcap In-Reply-To: <29C804B9872D466AA1D1858FA52962F5@NELSON3> References: <003E45E98DDE419EAAA8B828A07C7C7E@imidomain.com> <29C804B9872D466AA1D1858FA52962F5@NELSON3> Message-ID: <2228770977EE4E15880C8C4A2F19949E@imidomain.com> Thank u very much GV, Pcap_stats is working fine in windows but the same is not working in linux. In linux it is giving num_of capture packets as 1 and number of dropped packets as 0 always. In windows every time the count is incrementing. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000086538 ============================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ============================================================================ ============================================================================ == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security _____ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Friday, July 17, 2009 10:50 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] how to check packet missing in wpcap Use pcap_stats to get the number of dropped frames. Have a nice day GV ----- Original Message ----- From: Prasanna Kumar Nelam To: winpcap-users at winpcap.org Sent: Thursday, July 16, 2009 11:39 PM Subject: [Winpcap-users] how to check packet missing in wpcap Dear All, I am capturing TCP Packets using Winpcap, How can I check whether All packets are captured from the network driver. Is there any system related API to check how may TCP packets came to Network driver upto that time. Thanks in advance. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000086538 ============================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ============================================================================ ============================================================================ == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security _____ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090718/60353d5c/attachment.htm From j at justinkremer.com Sat Jul 18 18:11:37 2009 From: j at justinkremer.com (Justin Kremer) Date: Sat, 18 Jul 2009 21:11:37 -0400 Subject: [Winpcap-users] DLink DWA643 support - promiscuous mode Message-ID: I'm having issues using my D-Link DWA-643 with WireShark and a variety of other programs which use WinPcap. In WireShark, I get the "failed to set hardware filter to promiscuous mode" message. I reviewed the documentation on the WinPcap website which suggests using WinDump for troubleshooting; this gives me the same error "windump: failed to set hardware filter to promiscuous mode". What is odd is that this card works fine with CommView! I have tried WinPcap with the OEM driver and CommView-modified driver, both yield the same error. If the card is able to go into promiscuous mode in CommView, why wouldn't it do it with WinPcap??? TIA for any assistance, -- Justin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090718/cd59e119/attachment.htm From prasannakumar.n at imimobile.com Mon Jul 20 00:09:59 2009 From: prasannakumar.n at imimobile.com (Prasanna Kumar Nelam) Date: Mon, 20 Jul 2009 12:39:59 +0530 Subject: [Winpcap-users] pcap_stas Message-ID: <3ED1C40F80374A41906970C829EAF4F4@imidomain.com> Dear All, Is there any difference of working of pcap_stats in winpcap and libpcap. Whenever I use this function in windows for the statestics it is giving the count, every time I call this API, it is giving the num of packets from start of run. But in libpcap, it is giving pcap recv packets as 1 or 2 and drop is 0. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000086538 ============================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ============================================================================ ============================================================================ == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090720/0e0ebecf/attachment.htm From guy at alum.mit.edu Mon Jul 20 00:47:58 2009 From: guy at alum.mit.edu (Guy Harris) Date: Mon, 20 Jul 2009 00:47:58 -0700 Subject: [Winpcap-users] pcap_stas In-Reply-To: <3ED1C40F80374A41906970C829EAF4F4@imidomain.com> References: <3ED1C40F80374A41906970C829EAF4F4@imidomain.com> Message-ID: <58AD7A0E-BD26-4834-B5A8-333A7DCB2CCA@alum.mit.edu> On Jul 20, 2009, at 12:09 AM, Prasanna Kumar Nelam wrote: > Is there any difference of working of pcap_stats in winpcap and > libpcap. The behavior of pcap_stats() is somewhat platform-dependent. > Whenever I use this function in windows for the statestics it is > giving the count, every time I call this API, it is giving the num > of packets from start of run. > But in libpcap, it is giving pcap recv packets as 1 or 2 and drop is > 0. In libpcap on what operating system? Linux? Solaris? *BSD/Mac OS X? Some other operating system? From prasannakumar.n at imimobile.com Mon Jul 20 02:11:00 2009 From: prasannakumar.n at imimobile.com (Prasanna Kumar Nelam) Date: Mon, 20 Jul 2009 14:41:00 +0530 Subject: [Winpcap-users] pcap_stas In-Reply-To: <58AD7A0E-BD26-4834-B5A8-333A7DCB2CCA@alum.mit.edu> References: <3ED1C40F80374A41906970C829EAF4F4@imidomain.com> <58AD7A0E-BD26-4834-B5A8-333A7DCB2CCA@alum.mit.edu> Message-ID: I am using libpcap in linux. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000086538 ? ============================================= ? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system.? The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. ? IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ============================================================================ ============================================================================ == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security ? -----Original Message----- From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Guy Harris Sent: Monday, July 20, 2009 1:18 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_stas On Jul 20, 2009, at 12:09 AM, Prasanna Kumar Nelam wrote: > Is there any difference of working of pcap_stats in winpcap and > libpcap. The behavior of pcap_stats() is somewhat platform-dependent. > Whenever I use this function in windows for the statestics it is > giving the count, every time I call this API, it is giving the num > of packets from start of run. > But in libpcap, it is giving pcap recv packets as 1 or 2 and drop is > 0. In libpcap on what operating system? Linux? Solaris? *BSD/Mac OS X? Some other operating system? _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users From guy at alum.mit.edu Mon Jul 20 10:47:15 2009 From: guy at alum.mit.edu (Guy Harris) Date: Mon, 20 Jul 2009 10:47:15 -0700 Subject: [Winpcap-users] pcap_stas In-Reply-To: References: <3ED1C40F80374A41906970C829EAF4F4@imidomain.com> <58AD7A0E-BD26-4834-B5A8-333A7DCB2CCA@alum.mit.edu> Message-ID: <15F2950B-2C03-4FB1-8507-01E60A8423C4@alum.mit.edu> On Jul 20, 2009, at 2:11 AM, Prasanna Kumar Nelam wrote: > I am using libpcap in linux. What's the version number of libpcap? From rax20037 at gmail.com Mon Jul 20 13:54:35 2009 From: rax20037 at gmail.com (Raul Gerardo Huertas Paiva) Date: Mon, 20 Jul 2009 15:54:35 -0500 Subject: [Winpcap-users] Hello Message-ID: Hello! I have a tool called 'Free IP Tools' which can handle TCP Raw sockets and le me see see what I'm receiving with a specified port. I'm actually sending data to it from a remote device. but now I want to create my own server to recive that data. I know WinPCap is actually capturing the connection rest commands from the remote device, but the remote device receives an 'remote host has rejected the connection'... which is expecetd because I have not opened any , i'm just monitoring my network... but... can I use WinPCap to implement my TCPRawSocket server... how? -- Todos cometemos errores pero nunca es tarde para volver a intentarlo. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090720/2c6ac670/attachment.htm From prasannakumar.n at imimobile.com Mon Jul 20 21:19:24 2009 From: prasannakumar.n at imimobile.com (Prasanna Kumar Nelam) Date: Tue, 21 Jul 2009 09:49:24 +0530 Subject: [Winpcap-users] pcap_stas In-Reply-To: <15F2950B-2C03-4FB1-8507-01E60A8423C4@alum.mit.edu> References: <3ED1C40F80374A41906970C829EAF4F4@imidomain.com><58AD7A0E-BD26-4834-B5A8-333A7DCB2CCA@alum.mit.edu> <15F2950B-2C03-4FB1-8507-01E60A8423C4@alum.mit.edu> Message-ID: <3A4B2989DED1499096156A4AA3F2DF20@imidomain.com> Hello Harris, Thank u very much for ur help, I am using Redhat enterprise version linux, where 2.6.9-42ELsmp is the kernel version, and libpcap version is libpcap-0.8.3-10.RHEL4. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000086538 ? ============================================= ? This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system.? The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. ? IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ============================================================================ ============================================================================ == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security ? -----Original Message----- From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Guy Harris Sent: Monday, July 20, 2009 11:17 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_stas On Jul 20, 2009, at 2:11 AM, Prasanna Kumar Nelam wrote: > I am using libpcap in linux. What's the version number of libpcap? _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users From dvtkadmin at gmail.com Mon Jul 20 22:59:03 2009 From: dvtkadmin at gmail.com (admin DVTk) Date: Tue, 21 Jul 2009 07:59:03 +0200 Subject: [Winpcap-users] Windows Vista NPF Driver Issue Message-ID: <76a4d8d70907202259lbb31158oba9b3ecbfb6569ac@mail.gmail.com> After installing Winpcap 4.0.2 on Windows Vista our capture application (DICOM Network Analyzer) is not able to see the Network Interfaces. The issue seems to be related to the NPF driver not running. But actions to enable this via net start npf don't work. If I install Wireshark and during setup choose the option to install and enable the NPF driver the problem is resolved. Is there an additional step that needs to be performed to make Winpcap work on Windows Vista in either the setup or the application using Winpcap? DVTk Team. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090721/da5f4e3a/attachment.htm From guy at alum.mit.edu Tue Jul 21 02:56:18 2009 From: guy at alum.mit.edu (Guy Harris) Date: Tue, 21 Jul 2009 02:56:18 -0700 Subject: [Winpcap-users] pcap_stas In-Reply-To: <3A4B2989DED1499096156A4AA3F2DF20@imidomain.com> References: <3ED1C40F80374A41906970C829EAF4F4@imidomain.com> <58AD7A0E-BD26-4834-B5A8-333A7DCB2CCA@alum.mit.edu> <15F2950B-2C03-4FB1-8507-01E60A8423C4@alum.mit.edu> <3A4B2989DED1499096156A4AA3F2DF20@imidomain.com> Message-ID: On Jul 20, 2009, at 9:19 PM, Prasanna Kumar Nelam wrote: > Thank u very much for ur help, I am using Redhat enterprise version > linux, > where 2.6.9-42ELsmp is the kernel version, and libpcap version is > libpcap-0.8.3-10.RHEL4. Libpcap 0.8.3 had a bug on Linux wherein pcap_stats() would, on platforms where 1) the kernel supplies packet capture/filter statistics, which is true at least as of the 2.4.20 kernel (so it's true in the 2.6.9 kernel) and 2) libpcap was compiled to use that (which it is by default) the counts it returns are counts from the previous time pcap_stats() was called (or from the start of the capture if pcap_stats() is being called for the first time), not counts from the start of the capture. In that case, the received packets value is the number of packets received since the last time you called pcap_stats(), not since the capture started, and the same is true of the dropped packets value. That bug is fixed in newer versions of libpcap. From bsalibrici at scidyn.com Tue Jul 21 06:52:04 2009 From: bsalibrici at scidyn.com (bsalibrici at scidyn.com) Date: Tue, 21 Jul 2009 09:52:04 -0400 Subject: [Winpcap-users] Access violation when using pcap_findalldevs_ex Message-ID: <1409.1248184324@scidyn.com> BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; } Hello Everyone, I am using WinXP Professional SP3 and Microsoft Visual Studio 6.0 with SP5. I installed Winpcap version 4.0.2. I also got the WpdPack and compiled your basic_dump example (in ...WpdPackExamples-pcapbasic_dump). The only thing I had to add to the visual c++ project was the IPHlpApi.Lib (6/16/1999 12:44 PM). When I try to execute the app out of the debugger, it crashes at the call to pcap_findalldevs. I verified that the npf driver was running before I ran the app - and it was. Here is the error: Unhandled exception in basic_dump.exe (NDISNPP.DLL): 0xC0000005: Access Violation. Call Stack: NDISNPP! 5a704d91() I searched your FAQs and your winpcap-users mailing list archives for this or similar problem. The only thing I found was a post back in August 2008 where ?. Rasta posted a similar problem. However, I didn't see a response or a resolution?? Interestingly enough, I downloaded windump 3.9.5 and ran it with the -D option. It listed all my adapters ok, and I selected an adapter with the -i option and it captured packets ok. Here are the results I got for the -h option: windump version 3.9.5, based on tcpdump version 3.9.5 WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5 Here is some info for the NDISNPP.DLL I'm using: File Version: 5.1.2600.5512 File Date: 4/13/08 8:12 PM File Size: 57,344 bytes File Location: C:WINDOWSsystem32npp Attached is a screen shot of the debugger display for the crash. Any ideas as to what the problem is here with the basic_dump example? Perhaps I'm overlooking something simple. Thanks in advance for any help. Regards, --Bill Salibrici -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090721/1fc17764/attachment-0001.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: exception.zip Type: application/octet-stream Size: 83157 bytes Desc: not available Url : http://www.winpcap.org/pipermail/winpcap-users/attachments/20090721/1fc17764/attachment-0001.obj From gianluca.varenni at cacetech.com Tue Jul 21 08:33:37 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Tue, 21 Jul 2009 08:33:37 -0700 Subject: [Winpcap-users] Windows Vista NPF Driver Issue References: <76a4d8d70907202259lbb31158oba9b3ecbfb6569ac@mail.gmail.com> Message-ID: <57272CE4FE8D472A950247899B9A676F@NELSON3> I think it's simply a problem with UAC, it has nothing to do with WinPcap per se. In practice the driver needs to be started with admin - elevated privileges, for example running your program by right-clicking on it and choosing "run as administrator". What Wireshark does is changing a registry key so that the NPF driver gets loaded automatically upon boot. This same option will be available in the next version of the WinPcap installer (and it will be enabled by default). Have a nice day GV ----- Original Message ----- From: admin DVTk To: winpcap-users at winpcap.org Sent: Monday, July 20, 2009 10:59 PM Subject: [Winpcap-users] Windows Vista NPF Driver Issue After installing Winpcap 4.0.2 on Windows Vista our capture application (DICOM Network Analyzer) is not able to see the Network Interfaces. The issue seems to be related to the NPF driver not running. But actions to enable this via net start npf don't work. If I install Wireshark and during setup choose the option to install and enable the NPF driver the problem is resolved. Is there an additional step that needs to be performed to make Winpcap work on Windows Vista in either the setup or the application using Winpcap? DVTk Team. ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090721/62666413/attachment.htm From gianluca.varenni at cacetech.com Tue Jul 21 08:44:23 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Tue, 21 Jul 2009 08:44:23 -0700 Subject: [Winpcap-users] Access violation when using pcap_findalldevs_ex References: <1409.1248184324@scidyn.com> Message-ID: Does the same problem happen with WinPcap 4.1beta5? Can you send me the output of "windump -D"? Have a nice day GV ----- Original Message ----- From: bsalibrici at scidyn.com To: winpcap-users at winpcap.org Sent: Tuesday, July 21, 2009 6:52 AM Subject: [Winpcap-users] Access violation when using pcap_findalldevs_ex Hello Everyone, I am using WinXP Professional SP3 and Microsoft Visual Studio 6.0 with SP5. I installed Winpcap version 4.0.2. I also got the WpdPack and compiled your basic_dump example (in ...\WpdPack\Examples-pcap\basic_dump). The only thing I had to add to the visual c++ project was the IPHlpApi.Lib (6/16/1999 12:44 PM). When I try to execute the app out of the debugger, it crashes at the call to pcap_findalldevs. I verified that the npf driver was running before I ran the app - and it was. Here is the error: Unhandled exception in basic_dump.exe (NDISNPP.DLL): 0xC0000005: Access Violation. Call Stack: NDISNPP! 5a704d91() I searched your FAQs and your winpcap-users mailing list archives for this or similar problem. The only thing I found was a post back in August 2008 where ?. Rasta posted a similar problem. However, I didn't see a response or a resolution?? Interestingly enough, I downloaded windump 3.9.5 and ran it with the -D option. It listed all my adapters ok, and I selected an adapter with the -i option and it captured packets ok. Here are the results I got for the -h option: windump version 3.9.5, based on tcpdump version 3.9.5 WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5 Here is some info for the NDISNPP.DLL I'm using: File Version: 5.1.2600.5512 File Date: 4/13/08 8:12 PM File Size: 57,344 bytes File Location: C:\WINDOWS\system32\npp Attached is a screen shot of the debugger display for the crash. Any ideas as to what the problem is here with the basic_dump example? Perhaps I'm overlooking something simple. Thanks in advance for any help. Regards, --Bill Salibrici ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090721/3c5c69fd/attachment.htm From redslasher99 at yahoo.com Wed Jul 22 16:43:56 2009 From: redslasher99 at yahoo.com (Benjamin Kiefer) Date: Wed, 22 Jul 2009 16:43:56 -0700 (PDT) Subject: [Winpcap-users] Out of my depth... Message-ID: <816177.50808.qm@web51602.mail.re2.yahoo.com> Okay, I'm a college student who barely uses c++, and wanted to put all the functionality of winpcap into a .dll that I can use in, say, c#. Would anyone be able to tell me what exactly I'd need for it to work, because I'm REALLY confused by the documentation. The sample code doesn't compile properly, and it'd be really nice to just have a .sln to run that actually works. This seems very complex as is, and the documentation doesn't really help. Apparently they don't know what "tutorials" look like, because as far as I know, giving someone a complete .cpp and barely going into what is done on it doesn't help anyone learn. Any help would be greatly appreciated (i.e. a REAL tutorial describing which functions are used to do what and why, and how they do it) or I'd just be happy with a .dll that I can call stuff from if that's all you can do. Thanks again. Benjamin C. Kiefer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090722/04b3892d/attachment.htm From gianluca.varenni at cacetech.com Wed Jul 22 17:37:26 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Wed, 22 Jul 2009 17:37:26 -0700 Subject: [Winpcap-users] Out of my depth... References: <816177.50808.qm@web51602.mail.re2.yahoo.com> Message-ID: <11C64035AA734BA88269EC96445774DF@NELSON3> ----- Original Message ----- From: Benjamin Kiefer To: winpcap-users at winpcap.org Sent: Wednesday, July 22, 2009 4:43 PM Subject: [Winpcap-users] Out of my depth... Okay, I'm a college student who barely uses c++, and wanted to put all the functionality of winpcap into a .dll that I can use in, say, c#. Would anyone be able to tell me what exactly I'd need for it to work, because I'm REALLY confused by the documentation. The sample code doesn't compile properly, and it'd be really nice to just have a .sln to run Which samples in the developer's pack do not compile? Can you be a bit more specific? that actually works. This seems very complex as is, and the documentation doesn't really help. Apparently they don't know what "tutorials" look like, because as far as I know, giving someone a complete .cpp and barely going into what is done on it doesn't help anyone learn. Have you looked at the tutorial here http://www.winpcap.org/docs/docs_41b5/html/group__wpcap__tut.html ? Also, there are a bunch of .NET wrappers for WinPcap, at least one is available on codeproject (just search for "net wrapper on google"). Have a nice day GV Any help would be greatly appreciated (i.e. a REAL tutorial describing which functions are used to do what and why, and how they do it) or I'd just be happy with a .dll that I can call stuff from if that's all you can do. Thanks again. Benjamin C. Kiefer ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090722/7edc3dda/attachment.htm From guy at alum.mit.edu Wed Jul 22 18:05:42 2009 From: guy at alum.mit.edu (Guy Harris) Date: Wed, 22 Jul 2009 18:05:42 -0700 Subject: [Winpcap-users] Out of my depth... In-Reply-To: <816177.50808.qm@web51602.mail.re2.yahoo.com> References: <816177.50808.qm@web51602.mail.re2.yahoo.com> Message-ID: On Jul 22, 2009, at 4:43 PM, Benjamin Kiefer wrote: > Okay, I'm a college student who barely uses c++, and wanted to put > all the functionality of winpcap into a .dll that I can use in, say, > c#. Is the goal to write such an encapsulation, or is the goal to use WinPcap from C#? If the goal is the latter - i.e., if you're not, for example, trying to learn how to wrap C/C++ libraries for use in .NET - then the Wikipedia page for pcap (libpcap/WinPcap): http://en.wikipedia.org/wiki/Pcap says: Wrappers for use of libpcap/WinPcap in languages other than C and C++ ... ? WinPcapNET and SharpPcap, .NET wrappers for WinPcap and SharpPcap is at http://sharppcap.wiki.sourceforge.net/ (WinPcapNet is at http://blogs.creadev.net/benj/2007/03/26/winpcapnet-first-release/ but I don't know whether anything's been done on it since then; SharpPcap's last release was in May of this year, so it appears to be active.) From xbachngoctuyetx at gmail.com Thu Jul 23 03:04:13 2009 From: xbachngoctuyetx at gmail.com (tran thanh) Date: Thu, 23 Jul 2009 17:04:13 +0700 Subject: [Winpcap-users] Size of packet captured! Message-ID: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> Dear all, I'm using winpcap to capture 'SQL Batch Server Response'! When I received a packet from sqlserver, the size of the packet is too short, so I can get all the data that the server response. Ex: I use Select FirstName, MiddleName, LastName from Employees There are total 300 DataRows but I only receive 240 DataRows. Please help me about this. Thanks and Regard! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090723/7ebf09a5/attachment.htm From gianluca.varenni at cacetech.com Thu Jul 23 08:54:55 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Thu, 23 Jul 2009 08:54:55 -0700 Subject: [Winpcap-users] Size of packet captured! References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> Message-ID: <92AD05132D8C4A71A99BAD7814503783@NELSON3> The information is probably split among multiple packets. What protocol does it use? TCP? UDP? Have a nice day GV ----- Original Message ----- From: tran thanh To: winpcap-users at winpcap.org Sent: Thursday, July 23, 2009 3:04 AM Subject: [Winpcap-users] Size of packet captured! Dear all, I'm using winpcap to capture 'SQL Batch Server Response'! When I received a packet from sqlserver, the size of the packet is too short, so I can get all the data that the server response. Ex: I use Select FirstName, MiddleName, LastName from Employees There are total 300 DataRows but I only receive 240 DataRows. Please help me about this. Thanks and Regard! ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090723/4054e98c/attachment.htm From dchang at fsautomation.com Thu Jul 23 09:25:31 2009 From: dchang at fsautomation.com (David Chang) Date: Thu, 23 Jul 2009 09:25:31 -0700 Subject: [Winpcap-users] Size of packet captured! References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> Message-ID: Tran, In addition to what G. said about multiple ethernet packets per TDS message (which is true, usually 3 ethernet packets per full TDS message), did you set the 'snaplen' of pcap_open_live() to 65536? If not, you may only be getting a portion of the actual ethernet packet. DC ----- Original Message ----- From: tran thanh To: winpcap-users at winpcap.org Sent: Thursday, July 23, 2009 3:04 AM Subject: [Winpcap-users] Size of packet captured! Dear all, I'm using winpcap to capture 'SQL Batch Server Response'! When I received a packet from sqlserver, the size of the packet is too short, so I can get all the data that the server response. Ex: I use Select FirstName, MiddleName, LastName from Employees There are total 300 DataRows but I only receive 240 DataRows. Please help me about this. Thanks and Regard! ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090723/8131c3cd/attachment-0001.htm From jack at pebbleridge.com Thu Jul 23 14:20:29 2009 From: jack at pebbleridge.com (Jack Jackson) Date: Thu, 23 Jul 2009 14:20:29 -0700 Subject: [Winpcap-users] Large number of duplicate messages Message-ID: <20090723212138.BDA2222DD6D@mxout-07.mxes.net> I just installed WinPcap 4.1 beta 5 on a Win 2008 Server 64-bit virtual machine (running on VMWare Server 2). Wireshark (1.2.1) shows a large number of duplicate copies of many (but not all) messages. For example, if I ping the virtual machine from another machine, I see about 126 ping requests and replies for each ping request sent. ARP messages do not appear to be duplicated, but most others are (all TCP as far as I can tell, but few if any UDP). Dumpcap shows the same number of messages as Wireshark. If I install WinPcap 4.1 beta 5 on the host Win 2008 64-bit machine and do the same ping as above, I see much fewer duplicates, 2-3. Any idea what is happening? Is this some artifact of the VMWare network drivers? From gianluca.varenni at cacetech.com Thu Jul 23 15:27:36 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Thu, 23 Jul 2009 15:27:36 -0700 Subject: [Winpcap-users] Large number of duplicate messages References: <20090723212138.BDA2222DD6D@mxout-07.mxes.net> Message-ID: <0C47F9F2A7D34515BEDA59BB5D958CD3@NELSON3> I would say it's some sort of artifact of the VMWre networking stack. Do you have any personall firewall install on the host and/or the host? Have a nice day GV ----- Original Message ----- From: "Jack Jackson" To: Sent: Thursday, July 23, 2009 2:20 PM Subject: [Winpcap-users] Large number of duplicate messages >I just installed WinPcap 4.1 beta 5 on a Win 2008 Server 64-bit virtual > machine (running on VMWare Server 2). > > Wireshark (1.2.1) shows a large number of duplicate copies of many (but > not > all) messages. For example, if I ping the virtual machine from another > machine, I see about 126 ping requests and replies for each ping request > sent. ARP messages do not appear to be duplicated, but most others are > (all TCP as far as I can tell, but few if any UDP). Dumpcap shows the > same > number of messages as Wireshark. > > If I install WinPcap 4.1 beta 5 on the host Win 2008 64-bit machine and do > the same ping as above, I see much fewer duplicates, 2-3. > > Any idea what is happening? Is this some artifact of the VMWare network > drivers? > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users From jack at pebbleridge.com Thu Jul 23 15:37:19 2009 From: jack at pebbleridge.com (Jack Jackson) Date: Thu, 23 Jul 2009 15:37:19 -0700 Subject: [Winpcap-users] Large number of duplicate messages In-Reply-To: <0C47F9F2A7D34515BEDA59BB5D958CD3@NELSON3> References: <20090723212138.BDA2222DD6D@mxout-07.mxes.net> <0C47F9F2A7D34515BEDA59BB5D958CD3@NELSON3> Message-ID: <20090723223721.0207222E253@mxout-07.mxes.net> Just Windows Firewall, but the behavior is the same if it is turned off. Jack At 03:27 PM 7/23/2009, Gianluca Varenni wrote: >I would say it's some sort of artifact of the VMWre networking stack. >Do you have any personall firewall install on the host and/or the host? > >Have a nice day >GV > >----- Original Message ----- >From: "Jack Jackson" >To: >Sent: Thursday, July 23, 2009 2:20 PM >Subject: [Winpcap-users] Large number of duplicate messages > > > >I just installed WinPcap 4.1 beta 5 on a Win 2008 Server 64-bit virtual > > machine (running on VMWare Server 2). > > > > Wireshark (1.2.1) shows a large number of duplicate copies of many (but > > not > > all) messages. For example, if I ping the virtual machine from another > > machine, I see about 126 ping requests and replies for each ping request > > sent. ARP messages do not appear to be duplicated, but most others are > > (all TCP as far as I can tell, but few if any UDP). Dumpcap shows the > > same > > number of messages as Wireshark. > > > > If I install WinPcap 4.1 beta 5 on the host Win 2008 64-bit machine and do > > the same ping as above, I see much fewer duplicates, 2-3. > > > > Any idea what is happening? Is this some artifact of the VMWare network > > drivers? From gianluca.varenni at cacetech.com Thu Jul 23 15:54:16 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Thu, 23 Jul 2009 15:54:16 -0700 Subject: [Winpcap-users] Large number of duplicate messages References: <20090723212138.BDA2222DD6D@mxout-07.mxes.net><0C47F9F2A7D34515BEDA59BB5D958CD3@NELSON3> <20090723223721.0207222E253@mxout-07.mxes.net> Message-ID: <43AAAA11A8194C2D9FDA924D035A8013@NELSON3> I don't have a Windows 2008 x64 guest off hand to test, unfortunately. Do all the packets get duplicated? Have a nice day GV ----- Original Message ----- From: "Jack Jackson" To: Sent: Thursday, July 23, 2009 3:37 PM Subject: Re: [Winpcap-users] Large number of duplicate messages > Just Windows Firewall, but the behavior is the same if it is turned off. > > Jack > > At 03:27 PM 7/23/2009, Gianluca Varenni wrote: >>I would say it's some sort of artifact of the VMWre networking stack. >>Do you have any personall firewall install on the host and/or the host? >> >>Have a nice day >>GV >> >>----- Original Message ----- >>From: "Jack Jackson" >>To: >>Sent: Thursday, July 23, 2009 2:20 PM >>Subject: [Winpcap-users] Large number of duplicate messages >> >> >> >I just installed WinPcap 4.1 beta 5 on a Win 2008 Server 64-bit virtual >> > machine (running on VMWare Server 2). >> > >> > Wireshark (1.2.1) shows a large number of duplicate copies of many (but >> > not >> > all) messages. For example, if I ping the virtual machine from another >> > machine, I see about 126 ping requests and replies for each ping >> > request >> > sent. ARP messages do not appear to be duplicated, but most others are >> > (all TCP as far as I can tell, but few if any UDP). Dumpcap shows the >> > same >> > number of messages as Wireshark. >> > >> > If I install WinPcap 4.1 beta 5 on the host Win 2008 64-bit machine and >> > do >> > the same ping as above, I see much fewer duplicates, 2-3. >> > >> > Any idea what is happening? Is this some artifact of the VMWare >> > network >> > drivers? > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users From redslasher99 at yahoo.com Thu Jul 23 16:02:35 2009 From: redslasher99 at yahoo.com (Benjamin Kiefer) Date: Thu, 23 Jul 2009 16:02:35 -0700 (PDT) Subject: [Winpcap-users] Out of my depth... In-Reply-To: References: Message-ID: <289654.86977.qm@web51602.mail.re2.yahoo.com> I'm using visual studio to try to run this code (the code from the link you said) and first it says, "Error 1 fatal error C1083: Cannot open include file: 'pcap.h': No such file or directory" even after adding existing item and browsing to it. So, I add new item, copy the contents of pcap.h into it, and save it as pcap.h. next error, "Error 1 fatal error C1083: Cannot open include file: 'pcap-stdinc.h': No such file or directory" I try repeating the last step, but it never works. At one point I had tried to run their "example" solutions, with about 13 errors about "Error 1 error C3163: '_vsnprintf': attributes inconsistent with previous declaration" Also, that is NOT a tutorial. They don't tell you what you need to actually execute the code, i.e. which .h files are needed to be included (other then the #include), whether it only needs the .dll or what. It's very frustrating trying to run code with all the provided information, only to discover that there's still vital information not given. I'm not sure if anyone here is familiar with several programs written for use with the game Warcraft III, namely banlist and listchecker. These programs scan through the traffic to your computer and log several bits of information about players you interact with, ultimately allowing you to compile a list of players you do not wish to have interaction with again. Also, they have built in ping functionality, as well as several other helpful tools. The problem is that they each have strengths, but definate weaknesses, and who wants to run 4 programs in tandem with a game to do everything if they can just combine them. I've determined that their functionality stems from winpcap, and wanted to write my own version of these programs that incorporates their strengths into 1 package. I don't like c++ or c, and wanted to do it in c#. I had no idea (as it said nothing about it) that this wasn't really set up to be used with .net straight away (as there are no .sln's that just compile and work properly) and wanted to know if I needed to compile something into a .dll or if there was just an updated c# version out there. Benjamin C. Kiefer ---------------------------------------------------------------------- Message: 1 Date: Wed, 22 Jul 2009 16:43:56 -0700 (PDT) From: Benjamin Kiefer Subject: [Winpcap-users] Out of my depth... To: winpcap-users at winpcap.org Message-ID: <816177.50808.qm at web51602.mail.re2.yahoo.com> Content-Type: text/plain; charset="us-ascii" Okay, I'm a college student who barely uses c++, and wanted to put all the functionality of winpcap into a .dll that I can use in, say, c#. Would anyone be able to tell me what exactly I'd need for it to work, because I'm REALLY confused by the documentation. The sample code doesn't compile properly, and it'd be really nice to just have a .sln to run that actually works. This seems very complex as is, and the documentation doesn't really help. Apparently they don't know what "tutorials" look like, because as far as I know, giving someone a complete .cpp and barely going into what is done on it doesn't help anyone learn. Any help would be greatly appreciated (i.e. a REAL tutorial describing which functions are used to do what and why, and how they do it) or I'd just be happy with a .dll that I can call stuff from if that's all you can do. Thanks again. Benjamin C. Kiefer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090722/04b3892d/attachment-0001.htm ------------------------------ Message: 2 Date: Wed, 22 Jul 2009 17:37:26 -0700 From: "Gianluca Varenni" Subject: Re: [Winpcap-users] Out of my depth... To: Message-ID: <11C64035AA734BA88269EC96445774DF at NELSON3> Content-Type: text/plain; charset="iso-8859-1" ----- Original Message ----- From: Benjamin Kiefer To: winpcap-users at winpcap.org Sent: Wednesday, July 22, 2009 4:43 PM Subject: [Winpcap-users] Out of my depth... Okay, I'm a college student who barely uses c++, and wanted to put all the functionality of winpcap into a .dll that I can use in, say, c#. Would anyone be able to tell me what exactly I'd need for it to work, because I'm REALLY confused by the documentation. The sample code doesn't compile properly, and it'd be really nice to just have a .sln to run Which samples in the developer's pack do not compile? Can you be a bit more specific? that actually works. This seems very complex as is, and the documentation doesn't really help. Apparently they don't know what "tutorials" look like, because as far as I know, giving someone a complete .cpp and barely going into what is done on it doesn't help anyone learn. Have you looked at the tutorial here http://www.winpcap.org/docs/docs_41b5/html/group__wpcap__tut.html ? Also, there are a bunch of .NET wrappers for WinPcap, at least one is available on codeproject (just search for "net wrapper on google"). Have a nice day GV Any help would be greatly appreciated (i.e. a REAL tutorial describing which functions are used to do what and why, and how they do it) or I'd just be happy with a .dll that I can call stuff from if that's all you can do. Thanks again. Benjamin C. Kiefer ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090722/7edc3dda/attachment-0001.htm ------------------------------ Message: 3 Date: Wed, 22 Jul 2009 18:05:42 -0700 From: Guy Harris Subject: Re: [Winpcap-users] Out of my depth... To: winpcap-users at winpcap.org Message-ID: Content-Type: text/plain; charset=WINDOWS-1252; format=flowed; delsp=yes On Jul 22, 2009, at 4:43 PM, Benjamin Kiefer wrote: > Okay, I'm a college student who barely uses c++, and wanted to put > all the functionality of winpcap into a .dll that I can use in, say, > c#. Is the goal to write such an encapsulation, or is the goal to use WinPcap from C#? If the goal is the latter - i.e., if you're not, for example, trying to learn how to wrap C/C++ libraries for use in .NET - then the Wikipedia page for pcap (libpcap/WinPcap): http://en.wikipedia.org/wiki/Pcap says: Wrappers for use of libpcap/WinPcap in languages other than C and C++ ... ? WinPcapNET and SharpPcap, .NET wrappers for WinPcap and SharpPcap is at http://sharppcap.wiki.sourceforge.net/ (WinPcapNet is at http://blogs.creadev.net/benj/2007/03/26/winpcapnet-first-release/ but I don't know whether anything's been done on it since then; SharpPcap's last release was in May of this year, so it appears to be active.) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090723/219b57aa/attachment-0001.htm From gianluca.varenni at cacetech.com Thu Jul 23 16:17:10 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Thu, 23 Jul 2009 16:17:10 -0700 Subject: [Winpcap-users] Out of my depth... References: <289654.86977.qm@web51602.mail.re2.yahoo.com> Message-ID: <0B3F3F0B837346B185488A8E404EFF4E@NELSON3> I suggest you to have a look at this http://www.winpcap.org/docs/docs_41b5/html/group__wpcapsamps.html Have a nice day GV ----- Original Message ----- From: Benjamin Kiefer To: winpcap-users at winpcap.org Sent: Thursday, July 23, 2009 4:02 PM Subject: Re: [Winpcap-users] Out of my depth... I'm using visual studio to try to run this code (the code from the link you said) and first it says, "Error 1 fatal error C1083: Cannot open include file: 'pcap.h': No such file or directory" even after adding existing item and browsing to it. So, I add new item, copy the contents of pcap.h into it, and save it as pcap.h. next error, "Error 1 fatal error C1083: Cannot open include file: 'pcap-stdinc.h': No such file or directory" I try repeating the last step, but it never works. At one point I had tried to run their "example" solutions, with about 13 errors about "Error 1 error C3163: '_vsnprintf': attributes inconsistent with previous declaration" Also, that is NOT a tutorial. They don't tell you what you need to actually execute the code, i.e. which .h files are needed to be included (other then the #include), whether it only needs the .dll or what. It's very frustrating trying to run code with all the provided information, only to discover that there's still vital information not given. I'm not sure if anyone here is familiar with several programs written for use with the game Warcraft III, namely banlist and listchecker. These programs scan through the traffic to your computer and log several bits of information about players you interact with, ultimately allowing you to compile a list of players you do not wish to have interaction with again. Also, they have built in ping functionality, as well as several other helpful tools. The problem is that they each have strengths, but definate weaknesses, and who wants to run 4 programs in tandem with a game to do everything if they can just combine them. I've determined that their functionality stems from winpcap, and wanted to write my own version of these programs that incorporates their strengths into 1 package. I don't like c++ or c, and wanted to do it in c#. I had no idea (as it said nothing about it) that this wasn't really set up to be used with .net straight away (as there are no .sln's that just compile and work properly) and wanted to know if I needed to compile something into a .dll or if there was just an updated c# version out there. Benjamin C. Kiefer ---------------------------------------------------------------------- Message: 1 Date: Wed, 22 Jul 2009 16:43:56 -0700 (PDT) From: Benjamin Kiefer Subject: [Winpcap-users] Out of my depth... To: winpcap-users at winpcap.org Message-ID: <816177.50808.qm at web51602.mail.re2.yahoo.com> Content-Type: text/plain; charset="us-ascii" Okay, I'm a college student who barely uses c++, and wanted to put all the functionality of winpcap into a .dll that I can use in, say, c#. Would anyone be able to tell me what exactly I'd need for it to work, because I'm REALLY confused by the documentation. The sample code doesn't compile properly, and it'd be really nice to just have a .sln to run that actually works. This seems very complex as is, and the documentation doesn't really help. Apparently they don't know what "tutorials" look like, because as far as I know, giving someone a complete .cpp and barely going into what is done on it doesn't help anyone learn. Any help would be greatly appreciated (i.e. a REAL tutorial describing which functions are used to do what and why, and how they do it) or I'd just be happy with a .dll that I can call stuff from if that's all you can do. Thanks again. Benjamin C. Kiefer -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090722/04b3892d/attachment-0001.htm ------------------------------ Message: 2 Date: Wed, 22 Jul 2009 17:37:26 -0700 From: "Gianluca Varenni" Subject: Re: [Winpcap-users] Out of my depth... To: Message-ID: <11C64035AA734BA88269EC96445774DF at NELSON3> Content-Type: text/plain; charset="iso-8859-1" ----- Original Message ----- From: Benjamin Kiefer To: winpcap-users at winpcap.org Sent: Wednesday, July 22, 2009 4:43 PM Subject: [Winpcap-users] Out of my depth... Okay, I'm a college student who barely uses c++, and wanted to put all the functionality of winpcap into a .dll that I can use in, say, c#. Would anyone be able to tell me what exactly I'd need for it to work, because I'm REALLY confused by the documentation. The sample code doesn't compile properly, and it'd be really nice to just have a .sln to run Which samples in the developer's pack do not compile? Can you be a bit more specific? that actually works. This seems very complex as is, and the documentation doesn't really help. Apparently they don't know what "tutorials" look like, because as far as I know, giving someone a complete .cpp and barely going into what is done on it doesn't help anyone learn. Have you looked at the tutorial here http://www.winpcap.org/docs/docs_41b5/html/group__wpcap__tut.html ? Also, there are a bunch of .NET wrappers for WinPcap, at least one is available on codeproject (just search for "net wrapper on google"). Have a nice day GV Any help would be greatly appreciated (i.e. a REAL tutorial describing which functions are used to do what and why, and how they do it) or I'd just be happy with a .dll that I can call stuff from if that's all you can do. Thanks again. Benjamin C. Kiefer ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090722/7edc3dda/attachment-0001.htm ------------------------------ Message: 3 Date: Wed, 22 Jul 2009 18:05:42 -0700 From: Guy Harris Subject: Re: [Winpcap-users] Out of my depth... To: winpcap-users at winpcap.org Message-ID: Content-Type: text/plain; charset=WINDOWS-1252; format=flowed; delsp=yes On Jul 22, 2009, at 4:43 PM, Benjamin Kiefer wrote: > Okay, I'm a college student who barely uses c++, and wanted to put > all the functionality of winpcap into a .dll that I can use in, say, > c#. Is the goal to write such an encapsulation, or is the goal to use WinPcap from C#? If the goal is the latter - i.e., if you're not, for example, trying to learn how to wrap C/C++ libraries for use in .NET - then the Wikipedia page for pcap (libpcap/WinPcap): http://en.wikipedia.org/wiki/Pcap says: Wrappers for use of libpcap/WinPcap in languages other than C and C++ ... ? WinPcapNET and SharpPcap, .NET wrappers for WinPcap and SharpPcap is at http://sharppcap.wiki.sourceforge.net/ (WinPcapNet is at http://blogs.creadev.net/benj/2007/03/26/winpcapnet-first-release/ but I don't know whether anything's been done on it since then; SharpPcap's last release was in May of this year, so it appears to be active.) ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090723/9588373b/attachment.htm From jack at pebbleridge.com Thu Jul 23 16:28:30 2009 From: jack at pebbleridge.com (Jack Jackson) Date: Thu, 23 Jul 2009 16:28:30 -0700 Subject: [Winpcap-users] Large number of duplicate messages In-Reply-To: <43AAAA11A8194C2D9FDA924D035A8013@NELSON3> References: <20090723212138.BDA2222DD6D@mxout-07.mxes.net> <0C47F9F2A7D34515BEDA59BB5D958CD3@NELSON3> <20090723223721.0207222E253@mxout-07.mxes.net> <43AAAA11A8194C2D9FDA924D035A8013@NELSON3> Message-ID: <20090723232831.AA3FB22DD6D@mxout-07.mxes.net> No, not all are duplicated. It seems to depend on whether or not the destination IP address is the virtual machine. I will do some more investigation. Thanks for your help. At 03:54 PM 7/23/2009, Gianluca Varenni wrote: >I don't have a Windows 2008 x64 guest off hand to test, unfortunately. Do >all the packets get duplicated? > >Have a nice day >GV > >----- Original Message ----- >From: "Jack Jackson" >To: >Sent: Thursday, July 23, 2009 3:37 PM >Subject: Re: [Winpcap-users] Large number of duplicate messages > > > > Just Windows Firewall, but the behavior is the same if it is turned off. > > > > Jack > > > > At 03:27 PM 7/23/2009, Gianluca Varenni wrote: > >>I would say it's some sort of artifact of the VMWre networking stack. > >>Do you have any personall firewall install on the host and/or the host? > >> > >>Have a nice day > >>GV > >> > >>----- Original Message ----- > >>From: "Jack Jackson" > >>To: > >>Sent: Thursday, July 23, 2009 2:20 PM > >>Subject: [Winpcap-users] Large number of duplicate messages > >> > >> > >> >I just installed WinPcap 4.1 beta 5 on a Win 2008 Server 64-bit virtual > >> > machine (running on VMWare Server 2). > >> > > >> > Wireshark (1.2.1) shows a large number of duplicate copies of many (but > >> > not > >> > all) messages. For example, if I ping the virtual machine from another > >> > machine, I see about 126 ping requests and replies for each ping > >> > request > >> > sent. ARP messages do not appear to be duplicated, but most others are > >> > (all TCP as far as I can tell, but few if any UDP). Dumpcap shows the > >> > same > >> > number of messages as Wireshark. > >> > > >> > If I install WinPcap 4.1 beta 5 on the host Win 2008 64-bit machine and > >> > do > >> > the same ping as above, I see much fewer duplicates, 2-3. > >> > > >> > Any idea what is happening? Is this some artifact of the VMWare > >> > network > >> > drivers? > > > > _______________________________________________ > > Winpcap-users mailing list > > Winpcap-users at winpcap.org > > https://www.winpcap.org/mailman/listinfo/winpcap-users > >_______________________________________________ >Winpcap-users mailing list >Winpcap-users at winpcap.org >https://www.winpcap.org/mailman/listinfo/winpcap-users From xbachngoctuyetx at gmail.com Thu Jul 23 19:31:54 2009 From: xbachngoctuyetx at gmail.com (tran thanh) Date: Fri, 24 Jul 2009 09:31:54 +0700 Subject: [Winpcap-users] Size of packet captured! In-Reply-To: References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> Message-ID: <87bb77eb0907231931g7aa885b3mc0bd85c984d3802d@mail.gmail.com> Dear Varenni and Chang, Firstly thanks for your help, I'm using TCP! I got Full TDS message from 2 packets, But new matter is how do I know that 2(or more) pakets is from a TDS message? Thanks, Tran Bach Thanh! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090724/e806f895/attachment-0001.htm From dchang at fsautomation.com Thu Jul 23 20:09:58 2009 From: dchang at fsautomation.com (David Chang) Date: Thu, 23 Jul 2009 20:09:58 -0700 Subject: [Winpcap-users] Size of packet captured! References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> <87bb77eb0907231931g7aa885b3mc0bd85c984d3802d@mail.gmail.com> Message-ID: <8D00EE7367834664BCC405A50C0B8B44@ace> Tran, Standard TDS headers are 4 bytes long. The first byte is the 'packet type'. The second byte is the 'last packet indicator'. The next two bytes are the 'packet size'. Thus, in your case, you should have gotten a 'packet size' that was greater than one Ethernet packet length (around 1500 bytes). I suggest you look at: http://www.freetds.org/tds.html DC ----- Original Message ----- From: tran thanh To: winpcap-users at winpcap.org Sent: Thursday, July 23, 2009 7:31 PM Subject: Re: [Winpcap-users] Size of packet captured! Dear Varenni and Chang, Firstly thanks for your help, I'm using TCP! I got Full TDS message from 2 packets, But new matter is how do I know that 2(or more) pakets is from a TDS message? Thanks, Tran Bach Thanh! ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090723/593aee02/attachment.htm From xbachngoctuyetx at gmail.com Thu Jul 23 21:50:19 2009 From: xbachngoctuyetx at gmail.com (tran thanh) Date: Fri, 24 Jul 2009 11:50:19 +0700 Subject: [Winpcap-users] Size of packet captured! In-Reply-To: <8D00EE7367834664BCC405A50C0B8B44@ace> References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> <87bb77eb0907231931g7aa885b3mc0bd85c984d3802d@mail.gmail.com> <8D00EE7367834664BCC405A50C0B8B44@ace> Message-ID: <87bb77eb0907232150m44bf9facp79b805ccac038fb7@mail.gmail.com> Dear Chang, Yes I got a packet only have 1516 bytes, so I must join 2 pakets to get the all message, So in this case if the message is too long there will be more and more pakets, how do I know which pakets is from a message to join it together! P/S: I'm reading your link, it's very helpful, but I still not know how to resolve the problem. Regard, Tran Bach Thanh. On Fri, Jul 24, 2009 at 10:09 AM, David Chang wrote: > Tran, > > Standard TDS headers are 4 bytes long. The first byte is the 'packet > type'. The second byte is the 'last packet indicator'. The next two bytes > are the 'packet size'. Thus, in your case, you should have gotten a 'packet > size' that was greater than one Ethernet packet length (around 1500 bytes). > > I suggest you look at: http://www.freetds.org/tds.html > > DC > > ----- Original Message ----- > *From:* tran thanh > *To:* winpcap-users at winpcap.org > *Sent:* Thursday, July 23, 2009 7:31 PM > *Subject:* Re: [Winpcap-users] Size of packet captured! > > Dear Varenni and Chang, > Firstly thanks for your help, > I'm using TCP! > I got Full TDS message from 2 packets, > But new matter is how do I know that 2(or more) pakets is from a TDS > message? > Thanks, > Tran Bach Thanh! > > > ------------------------------ > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090724/bd47f889/attachment.htm From adagiograzioso at gmail.com Fri Jul 24 01:58:15 2009 From: adagiograzioso at gmail.com (Adagio Grazioso) Date: Fri, 24 Jul 2009 14:28:15 +0530 Subject: [Winpcap-users] Size of packet captured! In-Reply-To: <87bb77eb0907232150m44bf9facp79b805ccac038fb7@mail.gmail.com> References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> <87bb77eb0907231931g7aa885b3mc0bd85c984d3802d@mail.gmail.com> <8D00EE7367834664BCC405A50C0B8B44@ace> <87bb77eb0907232150m44bf9facp79b805ccac038fb7@mail.gmail.com> Message-ID: <239eee8d0907240158g3345752fh83359f50a666016@mail.gmail.com> Tran, If data is split into multiple packets, you can know which pkts belong to a single message and how to join them from the IP Header fields - Id, Offset and Flags. For more details on the algorithm to use see http://tools.ietf.org/html/rfc791 and http://tools.ietf.org/html/rfc815 Adagio On Fri, Jul 24, 2009 at 10:20 AM, tran thanh wrote: > Dear Chang, > Yes I got a packet only have 1516 bytes, so I must join 2 pakets to get the > all message, > So in this case if the message is too long there will be more and more > pakets, > how do I know which pakets is from a message to join it together! > > P/S: I'm reading your link, it's very helpful, but I still not know how to > resolve the problem. > Regard, > Tran Bach Thanh. > > > On Fri, Jul 24, 2009 at 10:09 AM, David Chang > wrote: >> >> Tran, >> >> Standard TDS headers are 4 bytes long.? The first byte?is the 'packet >> type'.? The second byte is the 'last packet indicator'.? The next two bytes >> are the 'packet size'.? Thus, in your case, you should have gotten a 'packet >> size' that was greater than one Ethernet packet length (around 1500 bytes). >> >> I suggest you look at: http://www.freetds.org/tds.html >> >> DC >> >> ----- Original Message ----- >> From: tran thanh >> To: winpcap-users at winpcap.org >> Sent: Thursday, July 23, 2009 7:31 PM >> Subject: Re: [Winpcap-users] Size of packet captured! >> Dear Varenni and Chang, >> Firstly thanks for your help, >> I'm using TCP! >> I got Full TDS message from 2 packets, >> But new matter is how do I know that 2(or more) pakets is from a TDS >> message? >> Thanks, >> Tran Bach Thanh! >> >> >> ________________________________ >> >> _______________________________________________ >> Winpcap-users mailing list >> Winpcap-users at winpcap.org >> https://www.winpcap.org/mailman/listinfo/winpcap-users >> >> _______________________________________________ >> Winpcap-users mailing list >> Winpcap-users at winpcap.org >> https://www.winpcap.org/mailman/listinfo/winpcap-users >> > > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > From gianluca.varenni at cacetech.com Fri Jul 24 08:08:28 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Fri, 24 Jul 2009 08:08:28 -0700 Subject: [Winpcap-users] Size of packet captured! References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com><87bb77eb0907231931g7aa885b3mc0bd85c984d3802d@mail.gmail.com><8D00EE7367834664BCC405A50C0B8B44@ace><87bb77eb0907232150m44bf9facp79b805ccac038fb7@mail.gmail.com> <239eee8d0907240158g3345752fh83359f50a666016@mail.gmail.com> Message-ID: <199C4D544E26408F9B64C1B7C6BC01AF@NELSON3> Actually, from what he said, the TDS protocol (which I don't know at all) runs on top of TCP, so you need to use some sort of TCP flow reassembly to know which 2 (or whatever other number of) packets to join. Have a nice day GV ----- Original Message ----- From: "Adagio Grazioso" To: Sent: Friday, July 24, 2009 1:58 AM Subject: Re: [Winpcap-users] Size of packet captured! Tran, If data is split into multiple packets, you can know which pkts belong to a single message and how to join them from the IP Header fields - Id, Offset and Flags. For more details on the algorithm to use see http://tools.ietf.org/html/rfc791 and http://tools.ietf.org/html/rfc815 Adagio On Fri, Jul 24, 2009 at 10:20 AM, tran thanh wrote: > Dear Chang, > Yes I got a packet only have 1516 bytes, so I must join 2 pakets to get > the > all message, > So in this case if the message is too long there will be more and more > pakets, > how do I know which pakets is from a message to join it together! > > P/S: I'm reading your link, it's very helpful, but I still not know how to > resolve the problem. > Regard, > Tran Bach Thanh. > > > On Fri, Jul 24, 2009 at 10:09 AM, David Chang > wrote: >> >> Tran, >> >> Standard TDS headers are 4 bytes long. The first byte is the 'packet >> type'. The second byte is the 'last packet indicator'. The next two bytes >> are the 'packet size'. Thus, in your case, you should have gotten a >> 'packet >> size' that was greater than one Ethernet packet length (around 1500 >> bytes). >> >> I suggest you look at: http://www.freetds.org/tds.html >> >> DC >> >> ----- Original Message ----- >> From: tran thanh >> To: winpcap-users at winpcap.org >> Sent: Thursday, July 23, 2009 7:31 PM >> Subject: Re: [Winpcap-users] Size of packet captured! >> Dear Varenni and Chang, >> Firstly thanks for your help, >> I'm using TCP! >> I got Full TDS message from 2 packets, >> But new matter is how do I know that 2(or more) pakets is from a TDS >> message? >> Thanks, >> Tran Bach Thanh! >> >> >> ________________________________ >> >> _______________________________________________ >> Winpcap-users mailing list >> Winpcap-users at winpcap.org >> https://www.winpcap.org/mailman/listinfo/winpcap-users >> >> _______________________________________________ >> Winpcap-users mailing list >> Winpcap-users at winpcap.org >> https://www.winpcap.org/mailman/listinfo/winpcap-users >> > > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users From guy at alum.mit.edu Fri Jul 24 09:40:39 2009 From: guy at alum.mit.edu (Guy Harris) Date: Fri, 24 Jul 2009 09:40:39 -0700 Subject: [Winpcap-users] Size of packet captured! In-Reply-To: <239eee8d0907240158g3345752fh83359f50a666016@mail.gmail.com> References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> <87bb77eb0907231931g7aa885b3mc0bd85c984d3802d@mail.gmail.com> <8D00EE7367834664BCC405A50C0B8B44@ace> <87bb77eb0907232150m44bf9facp79b805ccac038fb7@mail.gmail.com> <239eee8d0907240158g3345752fh83359f50a666016@mail.gmail.com> Message-ID: <2905429E-2E11-424C-A567-8C164BD0E6BE@alum.mit.edu> On Jul 24, 2009, at 1:58 AM, Adagio Grazioso wrote: > If data is split into multiple packets, you can know which pkts belong > to a single message and how to join them from the IP Header fields - > Id, Offset and Flags. If data is split into multiple packets *using IP fragmentation*, you can know which packets belong to a single message and how to join them from the IP Header fields - Id, Offset and Flags. If it's split by, for example, splitting TDS messages across multiple TCP segments, IP fragmentation isn't involved, so that won't help. That's what's happening here. From guy at alum.mit.edu Fri Jul 24 09:44:35 2009 From: guy at alum.mit.edu (Guy Harris) Date: Fri, 24 Jul 2009 09:44:35 -0700 Subject: [Winpcap-users] Size of packet captured! In-Reply-To: <199C4D544E26408F9B64C1B7C6BC01AF@NELSON3> References: <87bb77eb0907230304n7b5b90cbq5e7c803bd9034cae@mail.gmail.com> <87bb77eb0907231931g7aa885b3mc0bd85c984d3802d@mail.gmail.com> <8D00EE7367834664BCC405A50C0B8B44@ace> <87bb77eb0907232150m44bf9facp79b805ccac038fb7@mail.gmail.com> <239eee8d0907240158g3345752fh83359f50a666016@mail.gmail.com> <199C4D544E26408F9B64C1B7C6BC01AF@NELSON3> Message-ID: <1268004F-EA80-412E-8FA1-005B2BD38BAD@alum.mit.edu> On Jul 24, 2009, at 8:08 AM, Gianluca Varenni wrote: > Actually, from what he said, the TDS protocol (which I don't know at > all) > runs on top of TCP, so you need to use some sort of TCP flow > reassembly to > know which 2 (or whatever other number of) packets to join. Yes. Wireshark dissects TDS, and it uses its TCP packet reassembly mechanism for this. To quote the comment in the TDS dissector for Wireshark: /* * The NETLIB protocol is a small blocking protocol designed to allow TDS * to be placed within different transports (TCP, DECNet, IPX/SPX). A * NETLIB packet starts with an eight byte header containing: * * a one-byte packet type field; * * a one-byte status field; * * a two-byte big-endian size field giving the size of the packet, * including the header; * * a two-byte big-endian channel number, used when multiple sessions * are being multiplexed on a single connection; * * a one-byte packet number, giving "the frame number of a multiplexed * message, modulo 256"; * * a one-byte window, which is the number of frames to be sent * before an acknowledgment message is received. * * followed by payload whose size is the value in the size field minus * 8. * * Microsoft Network Monitor 2.x dissects the 4 byte field (and indicates * that the one-byte last packet indicator also contains other bits). * * The TDS protocol consists of a number of protocol data units (PDUs) that * appear to be assembled from NETLIB packets, in the form of zero or more * NETLIB packets with the last packet indicator clear and a final NETLIB * packet with the last packet indicator set. The type of the TDS PDU is * specified by the packet type field of the NETLIB header (presumably that * field has the same value for all NETLIB packets that make up a TDS PDU). * * The "server response" PDU consists of a sequence of multiple items, each * one beginning with a one byte type field at the start of the PDU. Some * items are fixed length, some are variable length with a two byte size * field following the item type, and then there is TDS_ROW_TOKEN in which * size is determined by analyzing the result set returned from the server. * This in effect means that we are hopelessly lost if we haven't seen the * result set. Also, TDS 4/5 is byte order negotiable, which is specified * in the login packet. We can attempt to determine it later on, but not * with 100% accuracy. * * Some preliminary documentation on the packet format can be found at * http://www.freetds.org/tds.html * * Some more information can be found in * http://download.nai.com/products/media/sniffer/support/sdos/sybase.pdf * * Much of this code was originally developed for the FreeTDS project. * http://www.freetds.org */ /* * Excerpts from Brian's posting to wireshark-dev: * * The TDS Protocol is actually a protocol within a protocol. On the outside * there is netlib which is not so much a encapsulation as a blocking of the * data, typically to 512 or 4096 bytes. Between this are the protocol data * units for TDS. Netlib packets may be split over real packets, multiple * netlib packets may appear in single real packets. TDS PDUs may be split * over netlib packets (and real packets) and most certainly can appear * multiple times within a netlib packet. ... So you might have to do *two layers* of reassembly. From swzhao at gmail.com Fri Jul 24 11:04:38 2009 From: swzhao at gmail.com (Joshua (Shiwei) Zhao) Date: Fri, 24 Jul 2009 11:04:38 -0700 Subject: [Winpcap-users] how to make the winpcap installer? Message-ID: Hi, on the winpcap website, there are instructions on how to build winpcap. But that's only for building the various portions such as .sys and .dll files. How could I build an installer packaging all those together? Thanks, Joshua -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090724/2b420816/attachment.htm From gianluca.varenni at cacetech.com Fri Jul 24 12:00:39 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Fri, 24 Jul 2009 12:00:39 -0700 Subject: [Winpcap-users] how to make the winpcap installer? References: Message-ID: The instructions to package WinPcap are not publicly available. Why do you want to repackage WinPcap? Have a nice day GV ----- Original Message ----- From: Joshua (Shiwei) Zhao To: winpcap-users at winpcap.org Sent: Friday, July 24, 2009 11:04 AM Subject: [Winpcap-users] how to make the winpcap installer? Hi, on the winpcap website, there are instructions on how to build winpcap. But that's only for building the various portions such as .sys and .dll files. How could I build an installer packaging all those together? Thanks, Joshua ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090724/922db311/attachment.htm From swzhao at gmail.com Fri Jul 24 16:16:01 2009 From: swzhao at gmail.com (Joshua (Shiwei) Zhao) Date: Fri, 24 Jul 2009 16:16:01 -0700 Subject: [Winpcap-users] how to make the winpcap installer? In-Reply-To: References: Message-ID: I'm making some simple changes to wpcap code and wish to give a single installer to my colleages. Right now we're manually replacing the wpcap.dll file after installation and this is a bit of hassle. Thanks, Joshua On Fri, Jul 24, 2009 at 12:00 PM, Gianluca Varenni < gianluca.varenni at cacetech.com> wrote: > The instructions to package WinPcap are not publicly available. > > Why do you want to repackage WinPcap? > > Have a nice day > GV > > > ----- Original Message ----- > *From:* Joshua (Shiwei) Zhao > *To:* winpcap-users at winpcap.org > *Sent:* Friday, July 24, 2009 11:04 AM > *Subject:* [Winpcap-users] how to make the winpcap installer? > > Hi, > on the winpcap website, there are instructions on how to build winpcap. But > that's only for building the various portions such as .sys and .dll files. > How could I build an installer packaging all those together? > > Thanks, > Joshua > > > ------------------------------ > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090724/cc77b298/attachment.htm From xbachngoctuyetx at gmail.com Mon Jul 27 22:52:05 2009 From: xbachngoctuyetx at gmail.com (tran thanh) Date: Tue, 28 Jul 2009 12:52:05 +0700 Subject: [Winpcap-users] Read SQL data from bytes Message-ID: <87bb77eb0907272252t27798f6fu42210ee489609d03@mail.gmail.com> Dear all, I use winpcap to captured a packet was responsed from SQLServer, I want to read the data of the packet, I have some problems during convert it from bytes. ex: I use : Select ColumnA from TableA Column ColumnA have DataType is float The values in DataBase is 1 2 3 4 5 6 But the bytes I captured is (All bytes is decimal type not Hex) 0 0 0 0 0 0 240 63 0 0 0 0 0 0 0 64 0 0 0 0 0 0 8 64 0 0 0 0 0 0 16 64 0 0 0 0 0 0 20 64 0 0 0 0 0 0 24 64 0 0 0 0 0 0 28 64 It is the same to these DataType is number like money, real, ... Plz help me how to convert these! Regard, Tran Bach Thanh! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090728/30ff758a/attachment.htm From andrejvanderzee at gmail.com Tue Jul 28 02:09:19 2009 From: andrejvanderzee at gmail.com (Andrej van der Zee) Date: Tue, 28 Jul 2009 18:09:19 +0900 Subject: [Winpcap-users] including pcap.h fails build Message-ID: <6456355d0907280209s4a1a1207y41003ea9ecd4d7eb@mail.gmail.com> Hi, I am trying to port my C++ Linux application that uses very basic features of libpcap. I am trying to compile this on Windows, but I keep getting into weird trouble that is maybe caused by my lack of understanding of Windows. But it only happen when I include "pcap.h" and define WIN32. Anyway, these are the errors: main.cpp main.cpp(215) : error C2332: 'struct' : missing tag name main.cpp(215) : error C2039: '' : is not a member of 'net_buckets' c:\cygwin\home\andrej\mbrace\trunk\parsers\cap2net\../core/net_bucket.h(93) : see declaration of 'net_buckets' main.cpp(215) : error C2274: 'function-style cast' : illegal as right side of '.' operator main.cpp(240) : error C2332: 'struct' : missing tag name main.cpp(240) : error C2039: '' : is not a member of 'net_buckets' c:\cygwin\home\andrej\mbrace\trunk\parsers\cap2net\../core/net_bucket.h(93) : see declaration of 'net_buckets' main.cpp(240) : error C2274: 'function-style cast' : illegal as right side of '.' operator main.cpp(246) : error C2332: 'struct' : missing tag name main.cpp(246) : error C2039: '' : is not a member of 'net_buckets' c:\cygwin\home\andrej\mbrace\trunk\parsers\cap2net\../core/net_bucket.h(93) : see declaration of 'net_buckets' main.cpp(246) : error C2274: 'function-style cast' : illegal as right side of '.' operator main.cpp(256) : error C2332: 'struct' : missing tag name main.cpp(256) : error C2039: '' : is not a member of 'net_buckets' c:\cygwin\home\andrej\mbrace\trunk\parsers\cap2net\../core/net_bucket.h(93) : see declaration of 'net_buckets' main.cpp(256) : error C2274: 'function-style cast' : illegal as right side of '.' operator Removing the #include for "pcap.h" makes this issue go away. I searched the error number but it seems not to be applicable to my case. I was hoping somebody could help me. Best regards, Andrej From gianluca.varenni at cacetech.com Tue Jul 28 08:25:46 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Tue, 28 Jul 2009 08:25:46 -0700 Subject: [Winpcap-users] including pcap.h fails build References: <6456355d0907280209s4a1a1207y41003ea9ecd4d7eb@mail.gmail.com> Message-ID: <53BBFD0FB3BC44638165620685B60C78@NELSON3> What is the content of line 215 in main.cpp, line 240 of main.cpp and line 93 of net_bucket.h? Have a nice day GV ----- Original Message ----- From: "Andrej van der Zee" To: Sent: Tuesday, July 28, 2009 2:09 AM Subject: [Winpcap-users] including pcap.h fails build > Hi, > > I am trying to port my C++ Linux application that uses very basic > features of libpcap. I am trying to compile this on Windows, but I > keep getting into weird trouble that is maybe caused by my lack of > understanding of Windows. But it only happen when I include "pcap.h" > and define WIN32. Anyway, these are the errors: > > main.cpp > main.cpp(215) : error C2332: 'struct' : missing tag name > main.cpp(215) : error C2039: '' : is not a member of > 'net_buckets' > > c:\cygwin\home\andrej\mbrace\trunk\parsers\cap2net\../core/net_bucket.h(93) > : see declaration of 'net_buckets' > main.cpp(215) : error C2274: 'function-style cast' : illegal as right > side of '.' operator > main.cpp(240) : error C2332: 'struct' : missing tag name > main.cpp(240) : error C2039: '' : is not a member of > 'net_buckets' > > c:\cygwin\home\andrej\mbrace\trunk\parsers\cap2net\../core/net_bucket.h(93) > : see declaration of 'net_buckets' > main.cpp(240) : error C2274: 'function-style cast' : illegal as right > side of '.' operator > main.cpp(246) : error C2332: 'struct' : missing tag name > main.cpp(246) : error C2039: '' : is not a member of > 'net_buckets' > > c:\cygwin\home\andrej\mbrace\trunk\parsers\cap2net\../core/net_bucket.h(93) > : see declaration of 'net_buckets' > main.cpp(246) : error C2274: 'function-style cast' : illegal as right > side of '.' operator > main.cpp(256) : error C2332: 'struct' : missing tag name > main.cpp(256) : error C2039: '' : is not a member of > 'net_buckets' > > c:\cygwin\home\andrej\mbrace\trunk\parsers\cap2net\../core/net_bucket.h(93) > : see declaration of 'net_buckets' > main.cpp(256) : error C2274: 'function-style cast' : illegal as right > side of '.' operator > > Removing the #include for "pcap.h" makes this issue go away. I > searched the error number but it seems not to be applicable to my > case. > > I was hoping somebody could help me. > > Best regards, > Andrej > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users From andrejvanderzee at gmail.com Tue Jul 28 16:14:30 2009 From: andrejvanderzee at gmail.com (Andrej van der Zee) Date: Wed, 29 Jul 2009 08:14:30 +0900 Subject: [Winpcap-users] including pcap.h fails build In-Reply-To: <53BBFD0FB3BC44638165620685B60C78@NELSON3> References: <6456355d0907280209s4a1a1207y41003ea9ecd4d7eb@mail.gmail.com> <53BBFD0FB3BC44638165620685B60C78@NELSON3> Message-ID: <6456355d0907281614w542458b0h952c7651200c1c61@mail.gmail.com> Hi, Thanks for your reply. On Wed, Jul 29, 2009 at 12:25 AM, Gianluca Varenni wrote: > What is the content of line 215 in main.cpp, line 240 of main.cpp and line > 93 of net_bucket.h? The class net_buckets had a method called "interface". Changing the name solved the issue. Weird but true. Cheers, Andrej From prasannakumar.n at imimobile.com Wed Jul 29 03:28:22 2009 From: prasannakumar.n at imimobile.com (Prasanna Kumar Nelam) Date: Wed, 29 Jul 2009 15:58:22 +0530 Subject: [Winpcap-users] RTP Packets Message-ID: Dear All, I am developing the Streaming packet sniffing application; right now I implemented RTSP protocol packet sniffing. From bogus@does.not.exist.com Sun Jul 12 01:37:59 2009 From: bogus@does.not.exist.com () Date: Sun, 12 Jul 2009 08:37:59 -0000 Subject: No subject Message-ID: Packets starts after the getting the Play Response from the Server. But I observed in Ethereal trace some RTP packets are captured after getting the SETUP (RTSP)response packet. From client to server. The Testing scenario I have taken is At 10.0.1.253(local Server IP) I have the rtsp stream(contains both Audio and video), I played this rtsp Stream from 10.0.2.195(desktop sys) in Real Player and captured the packets using ethereal trace. After setup response from 10.0.1.253 to 10.0.2.195, I got the RTP packets from 10.0.2.195(Desktop) to 10.0.1.253 without any payload (malformed RTP Packet). After Play Response from 10.0.1.253 I got RTP packets all are from 10.0.1.253 to 10.0.2.195. My doubt is what the RTP packets from client to server represents. Because in combo RTCP packet the SSRC of receiver report(RR Packet type) is the SSRC of these Packets. Thanks in Advance. Thanks and Regds, Prasanna Kumar.N, Software Engineer, R&D Networks, Mob:9000016358 ============================================= This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any attachment with this email. IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com ============================================================================ ============================================================================ == This e-mail message has been scanned for Viruses and Content and cleared by Symantec Mail Security ------=_NextPart_000_007A_01CA1065.663E4A20 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Dear All,

I am developing the Streaming packet sniffing = application; right now I implemented RTSP protocol packet = sniffing.

From some documents and tutorials I came to know that = the RTP and RTCP Packets starts after the getting the Play Response from the Server.

But I observed in Ethereal trace some RTP packets are captured after getting the SETUP (RTSP)response packet. From client to = server.

The Testing scenario I have taken = is

At 10.0.1.253(local Server IP) I have the rtsp = stream(contains both Audio and video), I played this rtsp Stream from 10.0.2.195(desktop = sys) in Real Player and captured the packets using ethereal = trace.

After setup response from 10.0.1.253 to 10.0.2.195, I = got the RTP packets from 10.0.2.195(Desktop) to 10.0.1.253 without any = payload (malformed RTP Packet).

After Play Response from 10.0.1.253 I got RTP packets = all are from 10.0.1.253 to 10.0.2.195.

My doubt is what the RTP packets from client to = server represents. Because in combo RTCP packet the SSRC of receiver report(RR = Packet type) is the SSRC of these Packets.

Thanks in Advance.

Thanks and Regds,

Prasanna Kumar.N,

Software Engineer,

R&D Networks,

Mob:9000016358

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity = to whom they are addressed. If you have received this email in error, = please notify the sender immediately by e-mail and delete this e-mail from your system. The sender therefore does not accept liability for any = errors or omissions in the contents of this message, which arise as a result of = e-mail transmission. Please note that any views or opinions presented in this = email are solely those of the author and do not necessarily represent those of = the company. Finally, the recipient should check this email and any = attachments for the presence of viruses. The company accepts no liability for any damage = caused by any attachment with this email.

IMImobile, Plot No:770, Road No : 44, Jubilee Hills, Hyderabad, India, 500033. www.imimobile.com
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D
This e-mail message has been scanned for Viruses and Content and cleared = by Symantec Mail Security

------=_NextPart_000_007A_01CA1065.663E4A20-- From timgrab at comcast.net Wed Jul 29 10:30:46 2009 From: timgrab at comcast.net (timgrab at comcast.net) Date: Wed, 29 Jul 2009 17:30:46 +0000 (UTC) Subject: [Winpcap-users] problem between WpdPack sample exe's and MFC port - Attachments? In-Reply-To: <300997718.6705331248888637951.JavaMail.root@sz0089a.westchester.pa.mail.comcast.net> Message-ID: <860284016.6705461248888646028.JavaMail.root@sz0089a.westchester.pa.mail.comcast.net> Hi again, I'd love to be able to supply a trace, and I have one, but I am not sure if the mailing list accepts attachments... I am new to mailing lists and was not even sure how to reply in my own thread!! I am attempting to attach my trace to this message. Regards, Tim G -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090729/55121067/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: SIP_Only.pcap Type: application/octet-stream Size: 3696 bytes Desc: not available Url : http://www.winpcap.org/pipermail/winpcap-users/attachments/20090729/55121067/attachment.obj From xbachngoctuyetx at gmail.com Thu Jul 30 19:21:36 2009 From: xbachngoctuyetx at gmail.com (tran thanh) Date: Fri, 31 Jul 2009 09:21:36 +0700 Subject: [Winpcap-users] Packet From Application? Message-ID: <87bb77eb0907301921x7b1d59ffhf7d622c6dd866530@mail.gmail.com> Dear All, I have captured a packet sent to SQL Server, How do I know Which Application sent it ? Regard, Tran Bach Thanh. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090731/687097ac/attachment.htm From gianluca.varenni at cacetech.com Fri Jul 31 08:05:39 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Fri, 31 Jul 2009 08:05:39 -0700 Subject: [Winpcap-users] Packet From Application? References: <87bb77eb0907301921x7b1d59ffhf7d622c6dd866530@mail.gmail.com> Message-ID: There is no easy way to know that with the current WinPcap architecture. Is the application running on the same machine as WinPcap? Have a nice day GV ----- Original Message ----- From: tran thanh To: winpcap-users at winpcap.org Sent: Thursday, July 30, 2009 7:21 PM Subject: [Winpcap-users] Packet From Application? Dear All, I have captured a packet sent to SQL Server, How do I know Which Application sent it ? Regard, Tran Bach Thanh. ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090731/011d4281/attachment.htm From guy at alum.mit.edu Fri Jul 31 09:45:00 2009 From: guy at alum.mit.edu (Guy Harris) Date: Fri, 31 Jul 2009 09:45:00 -0700 Subject: [Winpcap-users] Packet From Application? In-Reply-To: References: <87bb77eb0907301921x7b1d59ffhf7d622c6dd866530@mail.gmail.com> Message-ID: <6E6A7E94-2878-4844-8EE0-482F5560455E@alum.mit.edu> On Jul 31, 2009, at 8:05 AM, Gianluca Varenni wrote: > There is no easy way to know that with the current WinPcap > architecture. > Is the application running on the same machine as WinPcap? If not, there's no way to know that with any architecture for WinPcap or any other capture mechanism, as that information doesn't get sent in packets (the machine sending a packet might not even *have* identifiable applications running on it). From Ed.Sassone at autonomy.com Thu Jul 30 11:01:06 2009 From: Ed.Sassone at autonomy.com (Sassone, Ed) Date: Thu, 30 Jul 2009 13:01:06 -0500 Subject: [Winpcap-users] pcap_setbuff occasional failure In-Reply-To: References: <3E0D4FE2886743D5BF6FB7B00A3043C6@nelson2>

Message-ID: Sorry, I was out of town and just saw this. It should be 32 bit. Our app is not supported on 64 bit currently so all should be 32 bit. We have seen this failure on a variety of servers but never very often. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ________________________________ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Friday, July 17, 2009 7:20 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure 32 or 64bit windows? Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Tuesday, July 14, 2009 1:02 PM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Attached is a screen shot of the Task Manager on a system with the pcap_setbuff failure. Sorry it is a little small. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ________________________________ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Thursday, June 04, 2009 11:40 AM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Almost for sure it's not a problem with the application. It could be either a bug in the winpcap driver, or a bug in some other driver in the system that causes some memory exhaustion. It's like when a malloc fails in an application. A malloc can fail, usually do to either some memory leak in the application or due to virtual memory exhaustion on the system. Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Thursday, June 04, 2009 9:29 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Thanks. Also can you think of anything in the application that we should do or should not do that might cause this? The error happens very rarely so it is hard to catch. We are using separate pcap_t handles for each thread. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ________________________________ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Wednesday, June 03, 2009 2:36 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure The buffer is on an open-instance basis, not on a NIC basis. So it's perfectly safe to have two threads setting different buffer sizes on the same adapter, *provided* that you are using two different pcap_t handles. Having said that, without a task manager screenshot it's impossible to understand why it failed. The error basically means that a malloc in the kernel driver failed, but it's impossible to know why without more information about the memory load at the time of the failure... Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Monday, June 01, 2009 7:33 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure We finally caught the error. We did not get the Task Manager screen shot. Also you are correct in that serializing the initialization did not help. One thing interesting, we have two threads per NIC card setting different buffer sizes. The first allocation worked and the second did not. The bracketed number is the thread id. 05/29 14:24:54.53 Interface.cpp:93: [00001A54] Set buffer size to 1048576 for interface \Device\NPF_{F4E3EFD7-CAB0-481B-86E3-874358548A34} : Signaling Interface 05/29 14:24:54.53 Interface.cpp:85: [00001174] Could not set buffer size to 5242880 for interface \Device\NPF_{F4E3EFD7-CAB0-481B-86E3-874358548A34}: driver error: not enough memory to allocate the kernel buffer Ed Sassone www.autonomy.com CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ________________________________ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Sassone, Ed Sent: Wednesday, October 08, 2008 3:12 PM To: winpcap-users at winpcap.org Subject: RE: [Winpcap-users] pcap_setbuff occasional failure Essentially a critical section around all the adapter initialization calls so it will only be in one set a time, across all threads and adapters. Unfortunately I didn't have it print the pcap_geterr string. I just put that in. It may be awhile until we catch it in the act. thanks Ed Sassone From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Wednesday, October 08, 2008 2:05 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Serializing pcap_setbuff should not be necessary (serializing against what? multiple calls on the same adapter? on the same pcap_t handle?). Expecially considering that the only solution is a reboot, I would think that there is some sort of leak either in the WinPcap driver or in some other driver in the system. What's the exact error message returned by pcap_setbuff? Also, after the problem occurs and before rebooting, open Task Manager, go to the Performance Tab and send me a screenshot of it, if possible. Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Monday, October 06, 2008 2:15 PM Subject: [Winpcap-users] pcap_setbuff occasional failure Hi Every so often in our application during startup, the pcap_setbuff call will fail. We are unable to re-create the problem but it seems to happen after the application has been stopped and started a number of times. Once the failure occurs it will continue to occur, until a reboot. Our app is multithreaded with two threads starting per interface card, and we can have more than one interface card configured. The buffer size specified can vary but it's usually around 5-10 MB. I have recently put in some changes to serialize the command in case there is a timing issue, as I'm not sure if the call is thread safe. I remember there was thread issue with the filter command. This is on Windows 2003. Any other ideas? thanks Ed Sassone ________________________________ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ________________________________ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ________________________________ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ________________________________ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090730/8863f324/attachment-0001.htm From gianluca.varenni at cacetech.com Fri Jul 31 16:05:00 2009 From: gianluca.varenni at cacetech.com (Gianluca Varenni) Date: Fri, 31 Jul 2009 16:05:00 -0700 Subject: [Winpcap-users] pcap_setbuff occasional failure References: <3E0D4FE2886743D5BF6FB7B00A3043C6@nelson2>

Message-ID: <337078BA64A14E548A97E8FBB50F6940@NELSON3> Well, the application can be 32bit but the OS can be 64 bit (a 32bit application can peacefully run on an x64 machine). Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Thursday, July 30, 2009 11:01 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Sorry, I was out of town and just saw this. It should be 32 bit. Our app is not supported on 64 bit currently so all should be 32 bit. We have seen this failure on a variety of servers but never very often. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ------------------------------------------------------------------------------ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Friday, July 17, 2009 7:20 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure 32 or 64bit windows? Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Tuesday, July 14, 2009 1:02 PM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Attached is a screen shot of the Task Manager on a system with the pcap_setbuff failure. Sorry it is a little small. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ---------------------------------------------------------------------------- From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Thursday, June 04, 2009 11:40 AM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Almost for sure it's not a problem with the application. It could be either a bug in the winpcap driver, or a bug in some other driver in the system that causes some memory exhaustion. It's like when a malloc fails in an application. A malloc can fail, usually do to either some memory leak in the application or due to virtual memory exhaustion on the system. Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Thursday, June 04, 2009 9:29 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Thanks. Also can you think of anything in the application that we should do or should not do that might cause this? The error happens very rarely so it is hard to catch. We are using separate pcap_t handles for each thread. Ed Sassone CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. -------------------------------------------------------------------------- From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Wednesday, June 03, 2009 2:36 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure The buffer is on an open-instance basis, not on a NIC basis. So it's perfectly safe to have two threads setting different buffer sizes on the same adapter, *provided* that you are using two different pcap_t handles. Having said that, without a task manager screenshot it's impossible to understand why it failed. The error basically means that a malloc in the kernel driver failed, but it's impossible to know why without more information about the memory load at the time of the failure... Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Monday, June 01, 2009 7:33 AM Subject: Re: [Winpcap-users] pcap_setbuff occasional failure We finally caught the error. We did not get the Task Manager screen shot. Also you are correct in that serializing the initialization did not help. One thing interesting, we have two threads per NIC card setting different buffer sizes. The first allocation worked and the second did not. The bracketed number is the thread id. 05/29 14:24:54.53 Interface.cpp:93: [00001A54] Set buffer size to 1048576 for interface \Device\NPF_{F4E3EFD7-CAB0-481B-86E3-874358548A34} : Signaling Interface 05/29 14:24:54.53 Interface.cpp:85: [00001174] Could not set buffer size to 5242880 for interface \Device\NPF_{F4E3EFD7-CAB0-481B-86E3-874358548A34}: driver error: not enough memory to allocate the kernel buffer Ed Sassone www.autonomy.com CONFIDENTIALITY NOTICE: This communication and any files or attachments transmitted with it contain information that is confidential to the sender and/or Autonomy, Inc., privileged or exempt from disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed. If you are not the intended recipient(s), you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited; please do not read, copy, use or disclose the content of this communication to others. If you have received this communication in error, please delete it and contact our network administrator at (214) 981-3100. Thank you. ------------------------------------------------------------------------ From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Sassone, Ed Sent: Wednesday, October 08, 2008 3:12 PM To: winpcap-users at winpcap.org Subject: RE: [Winpcap-users] pcap_setbuff occasional failure Essentially a critical section around all the adapter initialization calls so it will only be in one set a time, across all threads and adapters. Unfortunately I didn't have it print the pcap_geterr string. I just put that in. It may be awhile until we catch it in the act. thanks Ed Sassone From: winpcap-users-bounces at winpcap.org [mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Gianluca Varenni Sent: Wednesday, October 08, 2008 2:05 PM To: winpcap-users at winpcap.org Subject: Re: [Winpcap-users] pcap_setbuff occasional failure Serializing pcap_setbuff should not be necessary (serializing against what? multiple calls on the same adapter? on the same pcap_t handle?). Expecially considering that the only solution is a reboot, I would think that there is some sort of leak either in the WinPcap driver or in some other driver in the system. What's the exact error message returned by pcap_setbuff? Also, after the problem occurs and before rebooting, open Task Manager, go to the Performance Tab and send me a screenshot of it, if possible. Have a nice day GV ----- Original Message ----- From: Sassone, Ed To: winpcap-users at winpcap.org Sent: Monday, October 06, 2008 2:15 PM Subject: [Winpcap-users] pcap_setbuff occasional failure Hi Every so often in our application during startup, the pcap_setbuff call will fail. We are unable to re-create the problem but it seems to happen after the application has been stopped and started a number of times. Once the failure occurs it will continue to occur, until a reboot. Our app is multithreaded with two threads starting per interface card, and we can have more than one interface card configured. The buffer size specified can vary but it's usually around 5-10 MB. I have recently put in some changes to serialize the command in case there is a timing issue, as I'm not sure if the call is thread safe. I remember there was thread issue with the filter command. This is on Windows 2003. Any other ideas? thanks Ed Sassone ---------------------------------------------------------------------- _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------------------------------------------------------------------- _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ---------------------------------------------------------------------------- _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users ------------------------------------------------------------------------------ _______________________________________________ Winpcap-users mailing list Winpcap-users at winpcap.org https://www.winpcap.org/mailman/listinfo/winpcap-users -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090731/b1ee0970/attachment-0001.htm From xbachngoctuyetx at gmail.com Fri Jul 31 19:48:03 2009 From: xbachngoctuyetx at gmail.com (tran thanh) Date: Sat, 1 Aug 2009 09:48:03 +0700 Subject: [Winpcap-users] Packet From Application? In-Reply-To: <6E6A7E94-2878-4844-8EE0-482F5560455E@alum.mit.edu> References: <87bb77eb0907301921x7b1d59ffhf7d622c6dd866530@mail.gmail.com> <6E6A7E94-2878-4844-8EE0-482F5560455E@alum.mit.edu> Message-ID: <87bb77eb0907311948t7e817269yb1c5271e11d18e6d@mail.gmail.com> Dear Varenni, I have a DataBase on the Server (I'm using Sql Server 2005), I want to known which application from the Client connect to Sql Server, In this case the Application didn't run on the same machine with Winpcap. And I have a problem is when I login to the SQL Server I have captured several packets, As I know these packets is the Pre-Login and Login Message between Server and Client Can I get the LoginName, Password, Client Machine Name (or User Login) from these packets? If it can be, please show me how? Regards, Tran Bach Thanh! -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090801/3a4069cc/attachment.htm From lamhong.bac at gmail.com Fri Jul 31 20:20:20 2009 From: lamhong.bac at gmail.com (LHB) Date: Sat, 1 Aug 2009 10:20:20 +0700 Subject: [Winpcap-users] Packet From Application? In-Reply-To: <87bb77eb0907301921x7b1d59ffhf7d622c6dd866530@mail.gmail.com> References: <87bb77eb0907301921x7b1d59ffhf7d622c6dd866530@mail.gmail.com> Message-ID: Dear All I also work in the same project like thanh try to build and SQL audit application. the application will be installed in the same server with SQL server. So the question is who (IP address,hostname, APPLICATION NAME, userid,..etc) when (date,time), what( query, update,delete, ddl change), We have difficulty in identify which application send the message to SQL server, can some one help us on this, any idea is appreciated Thanks Bac On Fri, Jul 31, 2009 at 9:21 AM, tran thanh wrote: > Dear All, > I have captured a packet sent to SQL Server, > How do I know Which Application sent it ? > > Regard, > Tran Bach Thanh. > > _______________________________________________ > Winpcap-users mailing list > Winpcap-users at winpcap.org > https://www.winpcap.org/mailman/listinfo/winpcap-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090801/b0dde925/attachment.htm From dennis.kg at gmail.com Fri Jul 31 22:40:55 2009 From: dennis.kg at gmail.com (Denis Kourktchan) Date: Sat, 1 Aug 2009 00:40:55 -0500 Subject: [Winpcap-users] Possible Culprits of Packet Disappearance Message-ID: <4a73c837.1408c00a.3947.126e@mx.google.com> Hi Everybody! Thanks for reading my post. I have somewhat of a multi-layered problem. I am using winpcap to capture UDP broadcast messages on my network in promiscuous mode. All captured packets are sent to a program level filter (i.e. the winpcap's filtering capabilities are not used, all code is included at the end of this post) in a separate thread. I have been using my current setup for some time now but then I started noticing missing messages, A LOT of them. I am by no means an expert programmer ( I picked up C++ thru online tutorial a year ago ) so I am at a loss as to why I am losing the packets. So far I have a few suspicions: 1. Messages are not queued in the thread that runs the pcap_dispatch() or pcap_loop() so perhaps if the computer is having a hiccup there might be a drop of packets post capture. 2. The packets are filtered out elsewhere in the program before they hit the destination function. I would appreciate any and all feedback on my code and possible problems, like I said I am not expert so please chew it up as much as possible. I have conducted several tests to provide you with extra information: 1. The same code ran on 4 different PC on the same network and produced 4 different results. 2. Three instances of the same code ran on the same computer on the same network and produced 3 different results. 3. A number of variations of buffer sizes and function choices (_loop vs. _dispatch vs. _next_ex) produced different results on the same computer. 4. An application that the messages were intended for actually receives the messages fine while my program does not. 5. The packets seem to entirely stop coming in at random times. Thank you in advance for your help, - Dennis My specs are: OS: WinXP SP3 Compiler : Microsoft Visual Studio 2005 Version 8.0.50727.762 Microsoft Visual C++ 2005 SP1 Pcap: V3.1 And later V4.1beta5 Here is my code: THIS IS THE FIRST FUNCTION LAUNCHED WHEN "GO BUTTON" is hit, it does the "background" winpcap stuff and before launching a separate thread to process the captured packets. int CForReal::Go(int adapter) { (*m_mainDlg->m_debugOf) << endl << " GO BUTTON IS HIT " << endl; string cmdLineStr; for (int i=0; m_lpCmdLine[i] != 0; ++i) { cmdLineStr = cmdLineStr + (char)(m_lpCmdLine[i]); } if (cmdLineStr.length() != 0) { //AfxBeginThread(WorkerThreadOldDataProc, NULL); } else { (*m_mainDlg->m_debugOf) << endl << " GO BUTTON IS HIT , LAUNCHING LIVE VERSION " << endl; // IF Command Line is empty launch Live Version, Lauch WinPCap pcap_if_t *alldevs; char errbuf[PCAP_ERRBUF_SIZE]; pcap_if_t *d; int i; pcap_t *adhandle; u_int netmask; struct bpf_program fcode; char packet_filter[] = "ip and udp or tcp"; /* Retrieve the device list */ if(pcap_findalldevs(&alldevs, errbuf) == -1) { fprintf(stderr,"Error in pcap_findalldevs: %s\n", errbuf); exit(1); } /* Jump to the selected adapter */ for(d=alldevs, i=0; i< adapter ;d=d->next, i++); printf("\nBefore pcap_open_live\n"); /* Open the adapter */ if ((adhandle= pcap_open_live(d->name, // name of the device 65536, // portion of the packet to capture. // 65536 grants that the whole packet will be captured on all the MACs. 1, // promiscuous mode (nonzero means promiscuous) 500, // read timeout errbuf // error buffer )) == NULL) { fprintf(stderr,"\nUnable to open the adapter. %s is not supported by WinPcap\n"); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } if (pcap_setbuff(adhandle, 41943040) != 0) { fprintf(stderr,"\nUnable to expand the buffer size. %s is not supported by WinPcap\n"); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } printf("\nBefore pcap_datalink\n"); /* Check the link layer. We support only Ethernet for simplicity. */ if(pcap_datalink(adhandle) != DLT_EN10MB) { fprintf(stderr,"\nThis program works only on Ethernet networks.\n"); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } if(d->addresses != NULL) /* Retrieve the mask of the first address of the interface */ netmask=((struct sockaddr_in *)(d->addresses->netmask))->sin_addr.S_un.S_addr; else /* If the interface is without addresses we suppose to be in a C class network */ netmask=0xffffff; printf("\nBefore pcap_compile\n"); //compile the filter if (pcap_compile(adhandle, &fcode, packet_filter, 1, netmask) <0 ) { fprintf(stderr,"\nUnable to compile the packet filter. Check the syntax.\n"); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } printf("\nBefore pcap_setfilter\n"); //set the filter if (pcap_setfilter(adhandle, &fcode)<0) { fprintf(stderr,"\nError setting the filter.\n"); /* Free the device list */ pcap_freealldevs(alldevs); return -1; } printf("\nlistening on %s...\n", d->description); /* At this point, we don't need any more the device list. Free it */ pcap_freealldevs(alldevs); printf("\nBefore pcap_loop\n"); /* start the capture */ theApp.m_adhandle = adhandle; ///!!!4!!! Launches a LIVE READER AfxBeginThread(WorkerThreadProc, NULL); } return 0; } THIS is the function launching pcap_loop: UINT WorkerThreadProc( LPVOID Param ) { pcap_loop(theApp.m_adhandle, 0, packet_handler, NULL); } The packet_handler() void CMainDlg::packet_handler(u_char *param, const struct pcap_pkthdr *header, const u_char *pkt_data) { //struct tm *ltime; //char timestr[16]; ip_header *ih; udp_header *uh; u_int ip_len; u_short sport,dport; //u_int gg; //u_char letter; /* convert the timestamp to readable format */ //ltime=localtime(&header->ts.tv_sec); //strftime( timestr, sizeof timestr, "%H:%M:%S", ltime); /* print timestamp and length of the packet */ //printf("%d.%.6d len:%d ", header->ts.tv_sec, header->ts.tv_usec, header->len); /* retireve the position of the ip header */ ih = (ip_header *) (pkt_data + 14); //length of ethernet header /* retireve the position of the udp header */ ip_len = (ih->ver_ihl & 0xf) * 4; uh = (udp_header *) ((u_char*)ih + ip_len); /* convert from network byte order to host byte order */ sport = ntohs( uh->sport ); dport = ntohs( uh->dport ); // FIRST possible reason to lose packets (ih->proto mess up) if (ih->proto == 6) { // TCP //unsigned int jjj = sizeof(tcp_Header); u_char * data_start = ((u_char *) uh) + 20; u_short data_length = header->len - ( (u_char *)uh - pkt_data) - 20; if (data_start[0] == 'G' && data_start[1] == 'I' && data_start[2] == 'O' && data_start[3] == 'P' ) { // AnalyzeGiop(data_start, data_length); } } else { // UDP u_char * data_start = ((u_char *) uh) + 8; u_short data_length = header->len - ( (u_char *)uh - pkt_data) - 8; if (dport == 3874) { HandleConfirmationPacket(data_start, data_length); } // SECOND possible reason for packet loss dport mess up else if (dport == 1874) { //*m_debugOf << "Before Handling UDP 1874" << endl; data_start = ((u_char *) data_start) + 24; data_length = data_length - 24; if (data_length > 1 && data_start[0] == 0x78 && data_start[1] == 0x9c) { unsigned char decompressed_data_start[30000]; unsigned short decompressed_data_length; //*m_debugOf << "Before DecompressPacket" << endl; int ret = DecompressPacket(data_start, data_length, decompressed_data_start, &decompressed_data_length); if (ret != Z_OK) { *m_debugOf << "Decompression error!!!!!!!!! code: " << ret << endl; } //*m_debugOf << "After DecompressPacket" << endl; HandlePacket(decompressed_data_start, decompressed_data_length); } else { HandlePacket(data_start, data_length); } //*m_debugOf << "After Handling UDP 1874" << endl; } } } And Last but not least before the function before the final destination: void CMainDlg::HandlePacket(u_char * data_start, u_short data_length) { deque * list = new deque(); string * str = new string(); for (u_int gg=3; gg < data_length ; ++gg) { u_char letter = *(data_start + gg); if (letter == 0 || letter == 0x1e) { if (str->length() > 0) { list->push_back(str); str = new string(); } } else { str->push_back(letter); printf("%c", letter < 32 || letter >=0x80 ? '.' : letter); } } delete str; deque::const_iterator it; for (it = list->begin(); it != list->end(); ++it) { ProcessStockInfo(*it); //this is the destination function } for (it = list->begin(); it != list->end(); ++it) { delete *it; } delete list; } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090801/df1efd20/attachment-0001.htm